b"Report No. D-2009-005             October 10, 2008\n\n\n\n\n          Controls Over the Contractor\n             Common Access Card\n                   Life Cycle\n\x0cAdditional Information and Copies\nTo obtain additional copies of this report, visit the Web site of the Department of Defense\nInspector General at http://www.dodig.mil/audit/reports or contact the Secondary Reports\nDistribution Unit at (703) 604-8937 (DSN 664-8937) or fax (703) 604-8932.\n\nSuggestions for Audits\nTo suggest ideas for or to request future audits, contact the Office of the Deputy Inspector General\nfor Auditing at (703) 604-9142 (DSN 664-9142) or fax (703) 604-8932. Ideas and requests can\nalso be mailed to:\n\n                      ODIG-AUD (ATTN: Audit Suggestions)\n                      Department of Defense Inspector General\n                      400 Army Navy Drive (Room 801)\n                      Arlington, VA 22202-4704\n\n\n\n\nAcronyms and Abbreviations\nAMC                           Army Materiel Command\nCAC                           Common Access Card\nCVS                           Contractor Verification System\nDEERS                         Defense Enrollment Eligibility and Reporting System\nDMDC                          Defense Manpower Data Center\nDUSA-BT                       Deputy Under Secretary of the Army for Business Transformation\nGS                            General Schedule\nILP                           Inventory Logistics Portal\nJPAS                          Joint Personnel Adjudication System\nKBR                           Kellogg, Brown, and Root, Inc.\nNACI                          National Agency Check with Inquiries\nRAPIDS                        Real-Time Automated Personnel Identification System\nSES                           Senior Executive Service\nSPOC                          Service Point of Contact\nTASM                          Trusted Agent Security Manager\nUSD (AT&L)                    Under Secretary of Defense for Acquisition, Technology, and\n                                Logistics\nUSD (P&R)                     Under Secretary of Defense for Personnel and Readiness\n\x0c -.                                 INSPECTOR GENERAL\n                                    DEPARTMENT OF DEFENSE\n                                      400 ARMY NAVY DRIVE\n                                 ARLINGTON, VIRGINIA 22202-4704\n\n\n\n                                                                                    October 10, 2008\n\nMEMORANDUM FOR DISTRIBUTION\n\nSUBJECT: Controls Over the Contractor Common Access Card Life Cycle\n         (Report No. D-2009-005)\n\n\nWe are providing this report for review and comment. We considered comments from clients on a\ndraft ofthis report when we prepared the final report.\n\nDoD Directive 7650.3 requires that all recommendations be resolved promptly. We reviewed\ncomments from the Under Secretary of Defense for Acquisition, Teclmology, and Logistics; the\nUnder Secretary of Defense for Personnel and Readiness; the Under Secretary of Defense for\nIntelligence; the Assistant Secretary of Defense (Networks and Information Integration)/DoD\nChief Information Officer; the Commander, U.S. Army Materiel Command; the Deputy Under\nSecretary of the Army for Business Transformation; the Director, Defense Manpower Data\nCenter; and the Adjutant General, U.S. Army Human Resources Command.\n\nAfter receiving client comments, we met with representatives from the Offices of the Secretary of\nDefense, the Under Secretary of Defense for Personnel and Readiness, and the Deputy Under\nSecretary of the Army for Business TransfOlmation. As a result of these meetings, we added two\nrecommendations and revised four recommendations. Our clients agreed to take additional actions\nnot addressed in their responses to the draft report. On the basis of these agreements, we consider\nthe recommendations generally resolved; however, they remain open for reporting purposes\npending receipt and review of comments on the final report. We added Recommendation A.I. and\nrenumbered draft Recommendations A.I. through A.5. as A.2. tlu'ough A.6. We renumbered draft\nRecommendation B.3. as BA. after adding a new B.3. We revised Recommendations A.3.a.(2),\nA.3.b.(2), B.2., and C.I.c. We request additional comments on the added and revised\nrecommendations, as well as on Recommendations A.3.a.(l)(b), A.3.b.(I), A.3.c., B.l.a., B.l.b.,\nC.I.a., C.I.b., C.2.a., and C.2.b., by October 31,2008. Please see the recommendations table on\npage ii for responsible organizations.\n\nPlease provide comments that confOlm to the requirements of DoD Directive 7650.3. Ifpossible,\nsend your comments in electronic format (Adobe Acrobat file only) to AudJ&OO dodi .mil.\nCopies of your conmlents must have the actual signature of the authorizing official for your\norganization. We are unable to accept the / Signed / symbol in place of the actual signature. If\nyou arrange to send classified comments electronically, you must send them over the SECRET\nInternet Protocol Router Network (SIPRNET).\n\nWe appreciate the courtesies extended to the staff. Please direct questions to Ms. Melinda M.\nOleksa at (703) 604-9174 (DSN 664-9174) or Ms. Hanll T. Nguyen at (303) 676-7397\n(DSN 926-7397). Team members are listed inside the back cover.\n\n\n\n                                           ~~tto\n                                            Principal Assistant Inspector General\n                                              for Auditing\n\x0cDISTRIBUTION:\n\nDEPUTY SECRETARY OF DEFENSE\nUNDER SECRETARY OF DEFENSE FOR ACQUISITION, TECHNOLOGY, AND\n   LOGISTICS\nUNDER SECRETARY OF DEFENSE FOR PERSONNEL AND READINESS\nUNDER SECRETARY OF DEFENSE FOR INTELLIGENCE\nASSISTANT SECRETARY OF DEFENSE (NETWORKS AND INFORMATION\n   INTEGRATION)/DOD CHIEF INFORMATION OFFICER\nCOMMANDER, U.S. ARMY MATERIEL COMMAND\nASSISTANT SECRETARY OF THE AIR FORCE (FINANCIAL MANAGEMENT\n   AND COMPTROLLER)\nNAVAL INSPECTOR GENERAL\nDEPUTY UNDER SECRETARY OF THE ARMY FOR BUSINESS\n   TRANSFORMATION\nAUDITOR GENERAL, DEPARTMENT OF THE ARMY\nDIRECTOR, DEFENSE MANPOWER DATA CENTER\nADJUTANT GENERAL, U.S. ARMY HUMAN RESOURCES COMMAND\n\x0cReport No. D-2009-005 (Project No. D2007-D000LA-0199.001)                                October 10, 2008\n\n\n               Results in Brief: Controls Over the\n               Contractor Common Access Card Life Cycle\nThe life cycle of the contractor Common Access           Contractors were misclassified as Government\nCard (CAC) consists of approval, issuance,               employees on their CACs. Specifically, 40,055\nreverification, revocation, and recovery. DoD            contractor CACs indicated the holders had\nofficials use the Contractor Verification System         General Schedule pay grades, and 211,851 had\n(CVS) to approve contractor CACs, and the                e-mail addresses that improperly identified the\nReal-time Automated Personnel Identification             holders as U.S. Government employees.\nSystem (RAPIDS) to issue CACs.\n                                                         Also, contractors could become CVS sponsors,\nWhat We Did                                              and sponsors who left Government service may\nThe objective of this audit was to determine             have been approving CACs.\nwhether controls over contractor CACs were in\nplace and worked as intended. This audit is the          Overall, CAC life-cycle weaknesses pose a\nfirst in a series on contractor CACs.                    potential national security risk that may result in\n                                                         unauthorized access to DoD resources,\n                                                         installations, and sensitive information\nWhat We Found                                            worldwide.\nAdditional controls over contractor CACs are\nneeded, and existing controls need                       What We Recommend\nimprovement. Specifically, contractor CACs\nwere not consistently approved, issued,                  To tighten controls over contractor CACs, we\nreverified, revoked, or recovered across DoD.            recommend implementing:\n    \xe2\x80\xa2 Government sponsors had inadequate                     \xe2\x80\xa2 joint, DoD-wide, contractor CAC\n        evidence to link contractors to a contract              life-cycle policy;\n        or justify a CAC expiration date.                    \xe2\x80\xa2 improved Army oversight at the KBR\n    \xe2\x80\xa2 Some contractors received CACs                            CAC issuance site;\n        without undergoing background checks                 \xe2\x80\xa2 additional system controls for CVS and\n        or receiving appropriate Government                     RAPIDS; and\n        approval.                                            \xe2\x80\xa2 procedures to ensure CAC sponsors are\n    \xe2\x80\xa2 CAC issuers changed information                           current Government employees.\n        approved by Government sponsors.\n    \xe2\x80\xa2 DoD did not always recover revoked                 Client Comments and Our\n        contractor CACs.                                 Response\n                                                         Clients generally concurred with the\nAlso, better Army oversight is required for a            recommendations. One outstanding item\nKellogg, Brown, and Root, Inc. (KBR) RAPIDS              remained, which related to implementing\nsite that issued 25,428 CACs to contractors              systems controls to reject improper e-mail\ndeploying to Southwest Asia.                             addresses for contractors applying for a CAC.\n    \xe2\x80\xa2 A KBR subcontractor did background                 As a result of management and client comments,\n         checks with no Army oversight.                  we added, revised, and renumbered\n    \xe2\x80\xa2 A contractor facilitated a CAC approval            recommendations. For the recommendations\n         process that bypassed CVS.                      requiring additional comments, please see the\n    \xe2\x80\xa2 Nearly half of revoked CACs were not               table on the back of this page.\n         recovered.\n\n                                                     i\n\x0cReport No. D-2009-005 (Project No. D2007-D000LA-0199.001)                      October 10, 2008\n\nRecommendations Table\nClient                            Recommendations                   No Additional Comments\n                                  Requiring Comment                 Required\nDeputy Secretary of Defense       A.1.\nUnder Secretary of Defense for                                      A.2., A.5., and D.2.\nAcquisition, Technology, and\nLogistics\n\nUnder Secretary of Defense for    A.3.a.(1)(b), A.3.a.(2),          A.3.a.(1)(a), A.3.d., A.3.e.,\nPersonnel and Readiness           A.3.b.(1), A.3.b.(2), A.3.c.,     A.5., and D.2.\n                                  C.1.a., C.1.b., C.1.c., C.2.a.,\n                                  and C.2.b.\nUnder Secretary of Defense for    C.2.a. and C.2.b.                 A.4., A.5., D.2.\nIntelligence\n\nAssistant Secretary of Defense    C.2.a. and C.2.b.\n(Networks and Information\nIntegration)/DoD Chief\nInformation Officer\nCommander, U.S. Army Materiel     B.1.a., B.1.b., and B.2.          B.1.c. and B.1.d.\nCommand\n\nDeputy Under Secretary of the     B.3.\nArmy for Business\nTransformation\n\nDirector, Defense Manpower Data                                     A.6. and D.1.\nCenter\n\nAdjutant General, U.S. Army                                         B.4.\nHuman Resources Command\n\nPlease provide comments by October 31, 2008.\n\n\n\n\n                                              ii\n\x0cTable of Contents\n\nResults in Brief                                                            i\n\nIntroduction                                                                1\n\n       Objectives                                                          1\n       Background                                                          1\n       Reliance on Computer-Processed Data                                 3\n       Subsequent Common Access Card Audits                                3\n\nFinding A. Policy Governing the Contractor Common Access Card Life Cycle   5\n\n       Actions Taken by the Defense Manpower Data Center                   16\n       Recommendations, Client Comments, and Our Response                  16\n\nFinding B. Oversight of Common Access Cards for Contractors Deploying to\nSouthwest Asia                                                             29\n\n       Clients Comments on the Finding and Our Response                    34\n       Recommendations, Client Comments, and Our Response                  35\n\nFinding C. Identification of U.S. and Foreign National Contractors         43\n\n       Actions Taken by the Defense Manpower Data Center                   47\n       Recommendations, Client Comments, and Our Response                  48\n\nFinding D. Oversight of Common Access Card Sponsors                        53\n\n       Actions Taken by the Defense Manpower Data Center                   55\n       Recommendations, Client Comments, and Our Response                  56\n\nAppendices\n\n       A. Scope and Methodology                                            59\n              Review of Internal Controls                                  60\n              Prior and Related Coverage                                   63\n       B. Estimates Based on Statistical Sampling                          65\n       C. Multiple Active CACs                                             67\n       D. Contract Clauses Governing CAC Recovery                          69\n\x0cTable of Contents (cont\xe2\x80\x99d)\n\nClient Comments\n\n      Under Secretary of Defense\n        for Acquisition, Technology, and Logistics   71\n\n      Under Secretary of Defense\n        for Personnel and Readiness                  73\n\n      Under Secretary of Defense\n        for Intelligence                             84\n\n      Assistant Secretary of Defense\n        (Networks and Information Integration)/\n         DoD Chief Information Officer               88\n\n      U.S. Army Materiel Command                     90\n\n      Deputy Under Secretary of the Army\n        for Business Transformation                  91\n\n      U.S. Army Human Resources Command              93\n\x0cIntroduction\nObjectives\nThe overall objective of this audit was to determine whether controls over Common\nAccess Cards (CACs) provided to contractors were in place and worked as intended.\nSpecifically, we determined whether DoD officials issued CACs to contractors, verified\nthe continued need for contractors to possess CACs, and revoked and recovered CACs\nfrom contractors in accordance with DoD policies and procedures.\n\nBackground\nIn October 2000, DoD began issuing CACs to active-duty military personnel, reserve\npersonnel, civilian employees, and eligible contractors. DoD personnel and eligible\ncontractors use CACs as a general identification card and to gain access to DoD\nresources, installations, and sensitive information. In addition, CACs allow DoD\npersonnel and eligible contractors to electronically sign and send encrypted e-mails to\nfacilitate daily business activity. Under the Geneva Conventions, the CAC also serves as\nan identification card for civilians and contractors who accompany the Armed Forces\nduring a conflict, combat, or contingency operation. Figure 1 summarizes CAC\nresponsibilities of DoD agencies according to DoD Directive 1000.25, \xe2\x80\x9cDoD Personnel\nIdentity Protection (PIP) Program,\xe2\x80\x9d July 19, 2004, and the Web site of the Office of the\nUnder Secretary of Defense for Acquisition, Technology, and Logistics (USD [AT&L]).\n\n\n\n\n                  Figure 1. CAC Responsibilities of DoD Agencies\n\n\n\n\n                                           1\n\x0cAs shown in Figure 1, the responsibilities for implementing and overseeing the CAC\nprogram are spread among many DoD agencies, requiring extensive coordination. DoD\nhas not established a lead agency to control overall CAC implementation.\n\nContractor CACs\nA contractor CAC looks different from military and DoD civilian CACs. It displays a\ngreen vertical1 stripe and contractor affiliation, allowing Government officials to\ndifferentiate a contractor\xe2\x80\x99s access privileges to DoD resources, installations, and\ninformation from civilian or military access privileges. See Figure 2 for CAC samples.\n\n\n\n\n                   Figure 2. Samples of Civilian and Contractor CACs\n\nAn Office of the Secretary of Defense Memorandum signed by the Under Secretary of\nDefense for Personnel and Readiness (USD [P&R]) and the DoD Chief Information\nOfficer, \xe2\x80\x9cCommon Access Card (CAC),\xe2\x80\x9d January 16, 2001, implemented CAC policy for\na common identification card intended to grant access to DoD facilities and networks.\nThis policy was updated in an Office of the Secretary of Defense Memorandum signed by\nUSD (P&R) and the DoD Chief Information Officer, \xe2\x80\x9cCommon Access Card\xe2\x80\x94Changes,\xe2\x80\x9d\nApril 18, 2002.\n\n\n\n\n1\n DMDC stated that the new Homeland Security Presidential Directive-12 CAC has a green horizontal stripe\nto indicate a contractor.\n\n\n                                                  2\n\x0cSystems Used To Process Contractor CACs\nA memorandum from USD (P&R), \xe2\x80\x9cDEERS/RAPIDS Lock Down for Contractors,\xe2\x80\x9d\nNovember 10, 2005, mandates the use of the Contractor Verification System (CVS) to\napprove contractors\xe2\x80\x99 applications for CACs. CVS is a Web-based system that feeds\ninformation on approved contractors into the Defense Enrollment Eligibility and\nReporting System (DEERS), the central repository for information collected about DoD\npersonnel and their authorized beneficiaries.\n\nA second system, the Real-time Automated Personnel Identification System (RAPIDS),\nretrieves contractor records from DEERS and prints the information on CACs for\nissuance.\n\nReliance on Computer-Processed Data\nWe relied on computer-processed data for the numbers and percentages in the findings.\nIn finding A, we used statistical sampling estimates, which we identified by using the\nword \xe2\x80\x9cestimate\xe2\x80\x9d before stating the percentage. Some numbers and percentages in\nfinding A were not based on statistical estimates, and therefore we did not use the word\n\xe2\x80\x9cestimate\xe2\x80\x9d to describe these. Findings B, C, and D did not use statistical estimates.\nAppendix A explains how computer-processed data were used and our assessment of\ntheir reliability.\n\nSubsequent Common Access Card Audits\nThis audit is the first in a series on the contractor CAC. The second in the series focuses\non the contractor CAC in Southwest Asia. The third in the series focuses on the\ncontractor CAC in the Republic of Korea. Subsequent CAC audits may be planned for\nother overseas locations.\n\nThe Federal Acquisition Regulation 2.101 states that an \xe2\x80\x9cInherently Governmental\nFunction means, as a matter of policy, a function that is so intimately related to the public\ninterest as to mandate performance by Government employees.\xe2\x80\x9d Some of the identified\nweaknesses in this report may be related to contractors performing inherently\ngovernmental functions. This issue will be included in subsequent audits.\n\n\n\n\n                                              3\n\x0c4\n\x0cFinding A. Policy Governing the Contractor\nCommon Access Card Life Cycle\nContractor CACs were not consistently approved, issued, reverified, revoked, or\nrecovered across DoD. These CAC life-cycle weaknesses pose a potential national\nsecurity risk that may result in unauthorized access to DoD resources, installations, and\nsensitive information worldwide. To improve national security, DoD should implement\npolicy governing CACs from approval to recovery. The policy should require:\n    \xe2\x80\xa2 Government sponsors to coordinate with contracting and security personnel\n        before approving contractor CACs,\n    \xe2\x80\xa2 system controls for CVS and RAPIDS to prevent improper changes to contractor\n        CAC records, and\n    \xe2\x80\xa2 a clause in DoD contracts to encourage CAC recovery.\n\nPhases of the CAC Life Cycle\nThe contractor CAC life cycle consists of four phases: application approval, issuance,\nreverification, and revocation and recovery. The application approval phase begins when\na contractor requests a CAC through CVS. After the CVS application is approved, the\ncontractor reports to a RAPIDS site for CAC issuance. After issuance, CAC\nreverification occurs in CVS every 180 days to ensure the contractor continues to need a\nCAC. Finally, the CAC revocation and recovery phase begins when contractors no\nlonger need or are authorized CACs. Figure 3 displays the phases, and Figure 5 shows a\ndetailed chart of the contractor CAC life cycle.\n\n\n\n\n                     Figure 3. Phases of the Contractor CAC Life Cycle\n\n\n\n                                            5\n\x0c Management of CAC Life Cycle Phases\n As noted in the introduction, the responsibilities for implementing and overseeing the\n CAC program are spread among many DoD agencies. Those responsibilities also vary by\n phase in the contractor CAC life cycle. DoD has not established a single agency to\n control overall CAC implementation\xe2\x80\x94including physical and logical access, background\n checks, and systems controls\xe2\x80\x94to ensure that contractors seeking CACs to gain access to\n DoD resources and information are properly vetted, authorized, and monitored.\n\n Statistical Samples\n Each phase of the CAC life cycle has unique functions; therefore, we used statistical\n sampling to audit each phase. The Defense Manpower Data Center (DMDC) provided\n four contractor CAC data populations that corresponded to each phase of the contractor\n CAC life cycle. We grouped the data geographically to determine the locations with the\n most contractor CAC activity for each DoD Component.2 We used these locations as our\n subpopulations for statistical sampling. We relied on the Office of Inspector General\n Quantitative Methods Directorate to randomly select a sample for each subpopulation.\n See Appendix A for additional information about the statistical samples.\n\n For each statistical sample, we tested specific steps in the CAC life cycle. On the basis of\n the test results, the Office of Inspector General Quantitative Methods Directorate\n estimated the number of deficiencies in each subpopulation. These estimates include an\n interval with upper and lower bounds using a 90-percent confidence level. We are\n 90-percent confident that the number of deficiencies in the CAC life cycle lies within an\n estimated range of the subpopulation; there is a 10-percent risk that the true value is\n outside the interval. Finding A reports the point estimate of each sample (middle of\n upper and lower bounds); see Appendix B for additional information on the estimates\n based on each statistical sample. Table 1 summarizes the details of each sample.\n\n             Table 1. Statistical Sampling of Contractor CACs by Phase\n Data Populations       Total         Records in      Subpopulation as                        Sample\nProvided by DMDC Records            Subpopulation     a Percent of Total                       Size\n\nCVS applications               126,331            39,532                    31%                  235\nCACs issued                    462,952            97,117                    21%                  145\nCVS reverifications             61,492            32,098                    52%                  160\nCACs revoked                   175,037            28,205                    16%                  250\n\n Approval of Contractors\xe2\x80\x99 Applications for CACs\n According to the USD (P&R) Memorandum, \xe2\x80\x9cDEERS/RAPIDS Lock Down for\n Contractors,\xe2\x80\x9d November 10, 2005 (hereafter referred to as the P&R Memorandum), as of\n\n\n 2\n     DoD Components include the Army, the Navy, the Air Force, the Marine Corps, and DoD agencies.\n\n\n\n                                                     6\n\x0cJuly 2006 contractors who need CACs are required to apply for them electronically using\nCVS. Each contractor should be sponsored by a Government official, also known as a\nTrusted Agent,3 who is authorized to enter information into CVS.\n\nBefore approving contractors\xe2\x80\x99 applications for CACs in CVS, Trusted Agents must do\nthe following.\n\n       \xe2\x80\xa2    Establish the contractor\xe2\x80\x99s affiliation with the Government through contract\n            requirements in accordance with the Federal Information Processing Standards\n            Publication 201-1, \xe2\x80\x9cPersonal Identify Verification (PIV) of Federal Employees\n            and Contractors,\xe2\x80\x9d March 2006, and DMDC CVS User Training Guide,\n            Version 1.9, July 19, 2007.4\n\n       \xe2\x80\xa2    Establish the contractor\xe2\x80\x99s need for logical and physical access and the duration of\n            access to DoD networks or facilities in accordance with the DMDC CVS User\n            Training Guide, Version 1.9, July 19, 2007.\n\n       \xe2\x80\xa2    Verify that the contract companies have vetted their contractors\xe2\x80\x99 backgrounds5 in\n            accordance with the DMDC CVS User Training Guide, Version 1.9, July 19,\n            2007.\n\nContractor Affiliation With DoD\nAn estimated 82.93 percent of 39,532 CVS applications did not adequately document\ncontractors\xe2\x80\x99 affiliations to the referenced DoD contracts (see Appendix B for the detailed\nestimate). The P&R Memorandum did not indicate how Trusted Agents should validate a\ncontractor\xe2\x80\x99s affiliation and did not require Trusted Agents to retain information\nsupporting CAC applications.\n\nBased on interviews with Trusted Agents at 32 CVS sites, a contractor\xe2\x80\x99s DoD affiliation\nwas established through several means, such as:\n\n       \xe2\x80\xa2    visit authorization letters6 from contract companies that requested contractor\n            CACs for access to DoD resources, installations, and information to perform\n            contract services, and\n\n\n\n\n3\n Trusted Agents were often Government contracting personnel or security managers. In many instances,\nthey held other Government positions, such as financial managers and administrative staff.\n4\n    Version 1.7, issued in September 2006, contained the same guidelines.\n5\n Background checks are discussed under the issuance phase because the approval of an application does not\nnecessarily result in a CAC being issued.\n6\n Visit authorization letters contained contractor information such as name, Social Security number, date of\nbirth, contract number, and security clearance level.\n\n\n                                                       7\n\x0c   \xe2\x80\xa2   requests by telephone or e-mail from contractor employees or Government\n       contracting personnel for a CAC.\n\nHowever, supporting documentation and explanations provided by Trusted Agents did\nnot confirm that contractors with CACs had legitimate DoD affiliations. Examples\nfollow.\n\n   \xe2\x80\xa2   At one CVS site, a Trusted Agent stated that, under the Privacy Act, he was not\n       permitted to maintain any personal information; therefore, he did not provide any\n       supporting documentation related to the referenced contracts proving that\n       contractors he sponsored had a valid DoD affiliation.\n\n   \xe2\x80\xa2   At another CVS site, a Trusted Agent stated that she destroyed CAC application\n       forms because there was no requirement to retain them.\n\n   \xe2\x80\xa2   At other CVS sites, several Trusted Agents stated that they had personal\n       knowledge of which contractors needed CACs, even though some of the Trusted\n       Agents were responsible for hundreds of contractors.\n\nAlso, 2,560 of the 126,331 CVS applications provided by DMDC from January 1 through\nJune 30, 2007, did not reference a valid contract number. For example, \xe2\x80\x9cn/a\xe2\x80\x9d is not a\nvalid contract number.\n\nCAC Expiration Dates\nAn estimated 89.50 percent of 39,532 CVS applications did not have sufficient evidence\nto support that CAC expiration dates were within the scope of DoD contract periods of\nperformance (see Appendix B for the detailed estimate). The Office of the Secretary of\nDefense Memorandum signed by USD (P&R) and the DoD Chief Information Officer,\n\xe2\x80\x9cCommon Access Card (CAC)\xe2\x80\x94Changes,\xe2\x80\x9d April 18, 2002 (hereafter the CAC\nMemorandum), allows CACs to be issued for a period of 3 years or the individual\xe2\x80\x99s term\nof service, employment, or association with DoD, whichever is shorter. However,\nTrusted Agents could not provide supporting documentation that showed their contractors\nwere associated with DoD contracts for a specific period of performance. Instead,\nTrusted Agents used various methods to establish the contractor CAC expiration date.\nFor example, a Trusted Agent stated that he used the end date of the last option year of a\ncontract as the CAC expiration date. Another Trusted Agent stated that she approved\nCACs for 2 years past the contract end date.\n\nTo reduce CAC issuance workload, the Army and Navy DEERS/RAPIDS program\noffices instructed their RAPIDS personnel, by e-mail, to issue contractor CACs for a\nperiod of 3 years regardless of the contractors\xe2\x80\x99 terms of service. Until CVS reverification\nand recovery are proven to function correctly across DoD, CAC expiration dates should\nbe established in accordance with DoD guidance.\n\n\n\n\n                                            8\n\x0cIssuance of CACs\nAccording to RAPIDS Site Security Managers7 at 35 locations, contractors report to a\nRAPIDS station, specifically to RAPIDS Verifying Officials8 at the same locations, to\nobtain their CACs. After verifying the contractor\xe2\x80\x99s identity, the Verifying Official uses\nthe contractor\xe2\x80\x99s Social Security number to retrieve the contractor\xe2\x80\x99s record from DEERS.\nIf the contractor\xe2\x80\x99s DEERS record indicates that the contractor is sponsored through CVS,\nthe Verifying Official issues the CAC. If the contractor does not have a DEERS record\nor the record does not indicate that the contractor is sponsored through CVS, the\nVerifying Official directs the contractor to the CVS Trusted Agent to appropriately\nresolve the matter.\n\nBackground Checks\nAccording to data obtained from the Joint Personnel Adjudication System (JPAS),\nTrusted Agents approved an estimated 40.49 percent of 97,117 contractor CACs without\nverifying that background checks had been initiated or completed for the contractors (see\nAppendix B for the detailed estimate). The P&R Memorandum does not require Trusted\nAgents to confirm with a Government security office that contractor background checks\nhave been initiated or completed before approving their CVS applications. Trusted\nAgents stated that they did not confirm that background checks for contractors had been\ninitiated or completed because:\n\n    \xe2\x80\xa2   contract companies were responsible for obtaining proper background checks for\n        their employees,\n\n    \xe2\x80\xa2   contractors did not work on classified contracts, and\n\n    \xe2\x80\xa2   Government security officers were responsible for background checks.\n\nAlthough a security clearance is not required to obtain a CAC, Homeland Security\nPresidential Directive-12, \xe2\x80\x9cPolicy for a Common Identification Standard for Federal\nEmployees and Contractors,\xe2\x80\x9d August 27, 2004, and Federal Information Processing\nStandard 201-1 require contractors seeking a CAC to have a National Agency Check with\nInquiries (NACI) or an equivalent background investigation. Officials from the Office of\nthe Under Secretary of Defense for Intelligence stated that a National Agency Check with\nLocal Records and Credit Check, or a NACLC, is an equivalent investigation. DoD\nRegulation 5200.08-R, \xe2\x80\x9cPhysical Security Program,\xe2\x80\x9d April 9, 2007, also requires a NACI\nor an equivalent investigation for permanent issuance of the CAC. Accordingly, we\nrelied on the Office of Inspector General Personnel Security Office to check JPAS and\n\n\n7\n A RAPIDS site cannot operate without a Site Security Manager, who is responsible for user and site\nadministration, management of CAC stock, policy and procedure compliance, documentation and training,\nand future CAC issuance enhancements.\n8\nVerifying Officials operate RAPIDS stations and issue CACs to contractors. Verifying Officials can be\nGovernment officials or contractors.\n\n\n\n                                                   9\n\x0cverify whether contractors who were issued a CAC had a NACI or an equivalent\nbackground check.9 We did not search other systems because DoD Directive 1000.25,\n\xe2\x80\x9cDoD Personal Identity Protection (PIP) Program,\xe2\x80\x9d July 19, 2004, designates JPAS as the\nDoD personnel security clearance system. JPAS maintains all types of personnel\nclearance actions, including initial requests for background checks.\n\nGovernment Approval\nRAPIDS personnel issued an estimated 16.19 percent of 97,117 contractor CACs without\nthe required Government approval (see Appendix B for the detailed estimate). RAPIDS\ndid not have the controls to prevent CAC issuance to contractors who were not sponsored\nin CVS.\n\nThe P&R Memorandum states that, as of July 31, 2006, CAC issuance to contractors\nshould be accomplished using CVS. However, Verifying Officials issued numerous\nCACs before this effective date using DD Form 1172-2, \xe2\x80\x9cApplication for Department of\nDefense Common Access Card DEERS Enrollment.\xe2\x80\x9d Specifically, contractors\nrequesting access to DoD facilities and networks completed a DD Form 1172-2 and\nsubmitted it to a Government sponsor. When the Government sponsor approved and\nreturned the form to contractors, they then reported to a RAPIDS station. The RAPIDS\nVerifying Official issued the contractors their CACs based on the DD Form 1172-2\ninformation. If a contractor did not have a personnel record in DEERS, the Verifying\nOfficial created a DEERS record for the contractor. If the contractor already had a\nDEERS record, the Verifying Official ensured the information was up-to-date and issued\nthe CAC. If the DD Form 1172-2 was not complete or approved, the Verifying Official\nrequired the contractor to obtain an appropriate form from the sponsor. Verifying\nOfficials later forwarded the DD Forms 1172-2 to the DMDC Support Office for storage.\n\nAs of October 2007, one of the Army RAPIDS sites was still accepting the\nDD Form 1172-2 for CACs instead of applications submitted electronically through CVS.\nSee finding B for details of the continued use of DD Form 1172-2.\n\nThe DMDC Support Office could not provide a CAC application that showed evidence of\nGovernment approval either through CVS or DD Form 1172-2 for 18 of 145 contractor\nCACs. Of the 18 contractor CACs, 4 were issued in 2007, after the CVS mandate took\neffect.\n\nCAC Reissuance\nAccording to the CAC Memorandum, CAC reissuance occurs when CACs are lost,\nstolen, or damaged or when information printed on the CAC requires change. Several\nRAPIDS Site Security Managers stated that they reissue CACs to contractors who report\nthe cards missing as long as contractors have a valid DEERS record.\n\n\n\n9\n See Appendix A for additional information about our reliance on the Office of Inspector General\nPersonnel Security Office, and finding B for additional information on background investigation\nrequirements.\n\n\n                                                   10\n\x0cBased on the DMDC data spanning January 1 through June 30, 2007, 4,309 of the\n151,984 revoked CACs were coded as \xe2\x80\x9clost.\xe2\x80\x9d10 It was not clear whether these contractors\nwho lost CACs were eligible for reissuance. Therefore, when reissuing a CAC, the\nVerifying Officials should confirm that Trusted Agents have reestablished a contractor\xe2\x80\x99s\ncontinued affiliation with DoD in CVS.\n\nIssuance of Multiple Active Contractor CACs\nAs of July 19, 2007, DMDC data showed 772 U.S. and foreign national contractors with\nmultiple active CACs, totaling 1,545 CACs. Appendix C details the number of\ncontractors and CAC types. In the CAC Memorandum, DoD acknowledges that there are\nindividuals who have multiple affiliations with the Department, such as a reservist who is\nalso a DoD contractor. However, DoD has not developed a solution for issuing a single\nCAC regardless of the number of affiliations.\n\nAlthough a contractor may have both a contractor and a military reservist CAC, it does\nnot seem logical that a contractor should possess two contractor CACs. The DMDC data\nshowed a contractor who had two active contractor CACs\xe2\x80\x94one Identification CAC and\none Identification and Privilege CAC.11 The complexity of CAC affiliations and the\nnumber of contractors with multiple CACs may prevent DoD from accurately accounting\nfor its contractors overseas or in the United States.\n\nConsistency of Contractor CAC Information\nThe RAPIDS Verifying Officials issued an estimated 29.45 percent of 97,117 contractor\nCACs with information different from that approved by the Government sponsor through\nCVS/DD Form 1172-2 (see Appendix B for the detailed estimate). Specifically,\ncontractor CAC information such as pay grades, e-mail addresses, and expiration dates12\ndiffered between DEERS/RAPIDS and CVS/DD Form 1172-2 (see Table 2 for details).\nReasons for differences were that CVS did not include all fields from DD Form 1172-2,\nsuch as pay grade and Geneva Conventions category, and that RAPIDS did not have\nautomated system controls to prevent Verifying Officials from changing contractor\ninformation entered or approved by the Trusted Agent in CVS.\n\n\n\n\n10\n We ascertained this by querying the DMDC database on the revoke code, a character in DEERS that\nexplains why a CAC was revoked. For example, revoke code \xe2\x80\x9cL\xe2\x80\x9d means the CAC was lost.\n11\n A DoD Identification and Privilege CAC entitles the holder to exchange and commissary privileges,\naccess to recreation facilities, and military discounts.\n12\n     See finding A, page 8, for a discussion of expiration dates.\n\n\n\n                                                         11\n\x0c       Table 2. Inconsistencies in the Sample of 145 CACs Issued to Contractors\n        Name       Pay          Geneva       E-mail     Duty         CAC\n                  Grade      Conventions Address Country           Expiration\n                               Category                               Date\n\n           2         2              3            30           9              9\n\n\nIn one case, a Trusted Agent approved a contractor CAC for expiration on June 30, 2007;\nhowever, a RAPIDS Verifying Official changed the expiration date to May 29, 2010.\nAnother CAC application had no expiration date, and the Verifying Official issued a\n3-year CAC. In both cases, the Verifying Officials had no authority to set or extend the\ncontractor\xe2\x80\x99s CAC expiration date. As previously discussed, contractors\xe2\x80\x99 CAC\napplications should be approved by Trusted Agents in CVS. When Verifying Officials\nbelieve that there is an error in a contractor\xe2\x80\x99s CAC application, they should direct the\ncontractor to see his or her Trusted Agent so that appropriate changes are made.\n\nReverification of CACs\nCVS was implemented to facilitate better tracking of contractor CACs than was possible\nwith the manually processed DD Form 1172-2. One improvement to the process in CVS\nwas the programmed prompt to reverify contractor CACs. Specifically, the DMDC CVS\nUser Training Guide states that the Trusted Agent should reverify a contractor\xe2\x80\x99s need for\na CAC every 180 days. When a contractor reaches the 150-day mark, the Trusted Agent\nreceives e-mail notification from CVS to reverify the contractor\xe2\x80\x99s continued need for the\nCAC. The Trusted Agent has 30 days after this notification to reverify, or the\ncontractor\xe2\x80\x99s CAC will automatically be revoked.\n\nAn estimated 92.04 percent of 32,098 CVS reverifications did not have sufficient\nevidence to support the contractors\xe2\x80\x99 continued need for CACs (see Appendix B for the\ndetailed estimate). The P&R Memorandum did not require Trusted Agents to confirm\nwith contracting officials the contractors\xe2\x80\x99 continued need for CACs or to maintain\nevidence of such confirmation. Therefore, Trusted Agents performed reverification in\nmany different ways. For example, Trusted Agents stated that they:\n\n   \xe2\x80\xa2    checked JPAS, Army Knowledge Online, the Microsoft global e-mail address list,\n        and local installation or facility badging systems to determine whether contractors\n        continued working with the Government, and\n\n   \xe2\x80\xa2    recognized contractors\xe2\x80\x99 faces and assumed that contractors still needed CACs.\n\nSome Trusted Agents sponsored many contractors while carrying out other duties.\nTrusted Agents\xe2\x80\x99 workload may have contributed to the lack of strong reverification\nprocedures.\n\nApproximately 91.2 percent of 6,282, or 5,727 Trusted Agents, sponsored 50 or fewer\ncontractors from January 1 through June 30, 2007. However, the remaining 8.8 percent,\n\n\n                                            12\n\x0cor 555 Trusted Agents, sponsored an average of 117 contractors during this period; Table\n3 has details.\n\n  Table 3. Sponsorship Load of Trusted Agents During the First 6 Months of 2007\n               Number of Contractors      Number of Trusted Agents\n            Sponsored per Trusted Agent        With This Load\n                         1 \xe2\x80\x93 10                     4,017\n                        11 \xe2\x80\x93 25                     1,117\n                        26 \xe2\x80\x93 50                       593\n                       51 \xe2\x80\x93 100                       364\n                      101 \xe2\x80\x93 250                       155\n                      251 \xe2\x80\x93 500                        27\n                     501 \xe2\x80\x93 1,000                        7\n                   More than 1,200                      2\n\nBecause there are no standard procedures for reverification, it is difficult to estimate how\nlong a reverification would take. Therefore, a reasonable limit on the number of\ncontractors a Trusted Agent may sponsor could not be established. However, DoD\nshould strengthen the reverification control by examining additional ways to establish a\nreasonable number of contractors a Trusted Agent may sponsor.\n\nIn addition, the CVS User Training Guide did not specify procedures for the Trusted\nAgents to reverify their contractors\xe2\x80\x99 CACs. Rather, the Guide states:\n\n               To reverify a contractor\xe2\x80\x99s authorization to hold a CAC, click on the\n               \xe2\x80\x9cReverify\xe2\x80\x9d button. When the \xe2\x80\x9cReverify\xe2\x80\x9d button is clicked, a pop-up\n               window will appear . . . which asks you to confirm that you would like\n               to reverify the applicant\xe2\x80\x99s privileges to continue to carry a CAC. Click\n               \xe2\x80\x9cOK\xe2\x80\x9d to process the verification request.\n\nFigure 4 illustrates the reverification pop-up window.\n\n\n\n\n                        Figure 4. Reverification Pop-up Window\n\nBecause Trusted Agents may have had too many contractors and CVS reverification\nrequired only clicking a button, sponsors may not have spent much time or effort on\n\n\n\n\n                                                 13\n\x0creverification. Further, because documentation is lacking, DoD has no assurance that the\nTrusted Agents performed the reverification thoroughly and consistently across DoD.\n\nRevocation and Recovery of Contractor CACs\nThe CAC Memorandum states that invalid, inaccurate, inoperative, or expired CACs\nshall be returned to a RAPIDS site for disposition. When they receive the CACs, the\nRAPIDS Site Security Managers submit the CACs to DMDC. When DMDC receives\nthem, DMDC updates their status in the Inventory Logistics Portal (ILP), the system for\ninventory and logistic management of CAC cardstock. This action indicates that the\nCACs have been revoked, recovered, and prepared for destruction.\n\nRecovery Procedures\nDoD officials did not recover an estimated 37.85 percent of 28,205 revoked CACs. In\naddition, we could not determine whether DoD recovered an estimated 19.91 percent of\nthe 28,205 revoked CACs (see Appendix B for the detailed estimate). The CAC and\nP&R Memoranda do not outline specific procedures for collecting revoked CACs. In\naddition, the CAC and P&R Memoranda do not specify procedures for following up with\ncompanies whose contractors do not return their CACs. Many Trusted Agents expressed\nconcerns about their responsibilities for recovering CACs. Examples follow.\n\n     \xe2\x80\xa2   Because contractors worked at different locations, Trusted Agents were unaware\n         of contractors leaving until after the fact. Thus, recovering CACs was difficult.\n\n     \xe2\x80\xa2   Trusted Agents revoked contractors\xe2\x80\x99 records in CVS, but felt it was not their job\n         to collect CACs.\n\nFurther, the CAC and P&R Memoranda do not assign responsibility for recovering\ncontractor CACs. Trusted Agents stated that:\n\n     \xe2\x80\xa2   contractors were required to turn in their CACs to the companies, and\n\n     \xe2\x80\xa2   Government contracting personnel were responsible for retrieving the CACs.\n\nContract Clause\nDoD did not have a contract clause to make contractor companies aware that CACs need\nto be returned upon employees\xe2\x80\x99 termination, resignation, or completion of service. Of the\nnine13 Federal and DoD acquisition regulations reviewed, two14 contained clauses that\n\n\n\n13\n  (1) Federal Acquisition Regulation, (2) Defense Federal Acquisition Regulation Supplement, (3) Army\nFederal Acquisition Regulation Supplement, (4) Navy-Marine Corps Acquisition Regulation Supplement,\n(5) Air Force Federal Acquisition Regulation Supplement, (6) Air Force Materiel Command Federal\nAcquisition Regulation Supplement, (7) Air Force Space Command Federal Acquisition Regulation\nSupplement, (8) Defense Logistics Acquisition Directive Federal Acquisition Regulation Supplement, and\n(9) U.S. Special Operations Command Federal Acquisition Regulation Supplement.\n\n\n\n                                                  14\n\x0ccould be inserted in DoD contracts for governing the CAC recovery process (see\nAppendix D for details of the regulations). However, those regulations were vague,\nleaving contracting officials to determine whether the clauses should be included in the\ncontracts.\n\nU.S. Law Governing Identification Cards\nUnauthorized possession of an official identification card, like a CAC, can be prosecuted\ncriminally under section 701, title 18, United States Code. It states:\n                    Whoever manufactures, sells, or possesses any badge, identification\n                    card, or other insignia, of the design prescribed by the head of any\n                    department or agency of the United States for use by any officer or\n                    employee thereof, or any colorable imitation thereof, or photographs,\n                    prints, or in any other manner makes or executes any engraving,\n                    photograph, print, or impression in the likeness of any such badge,\n                    identification card, or other insignia, or any colorable imitation thereof,\n                    except as authorized under regulations made pursuant to law, shall be\n                    fined under this title or imprisoned not more than six months, or both.\n\nCAC recovery may improve if, during the CVS application process, applicants were\ninformed of this law and told that once they no longer had a valid need for CACs or that\ntheir CACs were revoked or expired, they must return CACs to responsible Government\nofficials.\n\nDirective-Type Memoranda\nDoD Instruction 5025.01, \xe2\x80\x9cDoD Directives Program,\xe2\x80\x9d October 28, 2007, states that\nDirective-Type Memoranda shall be effective for no more than 180 days from the date\nsigned, during which time they shall be incorporated into an existing DoD issuance,\nconverted to a new DoD issuance, reissued, or canceled.15 Our research of DoD\nissuances showed neither the P&R Memorandum nor the CAC Memorandum has been\nincorporated in or converted to a DoD issuance, reissued, or canceled. Because both of\nthese memoranda were issued more than 180 days ago and have not been cancelled, they\nshould be incorporated in or converted to a DoD issuance.\n\nConclusion\nDoD did not have policies and procedures that consistently governed the contractor CAC\nlife cycle. Specific weaknesses follow.\n\n        \xe2\x80\xa2   Trusted Agents did not establish contractors\xe2\x80\x99 DoD affiliations and CAC\n            expiration dates before approving CVS applications.\n\n\n\n14\n Federal Acquisition Regulation 52.204-9, \xe2\x80\x9cPersonal Identity Verification of Contractor Personnel,\xe2\x80\x9d\nNovember 2006, and Air Force Federal Acquisition Regulation Supplement, Clause 5352.242-9001,\n\xe2\x80\x9cCommon Access Cards (CACs) for Contractor Personnel,\xe2\x80\x9d August 2004.\n15\n     A DoD issuance is a DoD Directive, Instruction, or Regulation.\n\n\n                                                       15\n\x0c    \xe2\x80\xa2   Trusted Agents approved CVS applications without verifying a background\n        check.\n\n    \xe2\x80\xa2   Verifying Officials issued contractor CACs without Government approval and\n        with information that differed from what the Trusted Agents had approved in\n        CVS.\n\n    \xe2\x80\xa2   Trusted Agents did not consistently reestablish contractors\xe2\x80\x99 continued need for\n        CACs before reverifying the CACs in CVS.\n\n    \xe2\x80\xa2   DoD officials did not recover all contractor CACs that were revoked.\n\nThese CAC life-cycle weaknesses pose a potential national security risk that may result\nin unauthorized access to DoD resources, installations, and sensitive information\nworldwide. See Figure 5 at the end of this finding for a summary of the contractor CAC\nlife cycle.\n\nActions Taken by the Defense Manpower Data Center\nDMDC officials stated that they started exploring solutions for CAC recovery in July\n2008. Specifically, they are studying ways to make contractors aware of CAC recovery\nrequirements through both CVS and RAPIDS. Also, DMDC officials stated that they\nwould continue to look for ways to encourage contractors and contracting organizations\nto return CACs when they are revoked.\n\nRecommendations, Client Comments, and Our\nResponse\nAdded, Renumbered, and Revised Recommendations\nAs a result of management and client comments, we added Recommendation A.1. to\nestablish a lead office responsible for the CAC life cycle, and renumbered draft\nRecommendations A.1. through A.5. as A.2. through A.6. In addition, we revised draft\nRecommendations A.2.a.(2) and A.2.b.(2)\xe2\x80\x94now A.3.a.(2) and A.3.b.(2)\xe2\x80\x94to clarify the\nintent of the recommendations. Specifically, Recommendation A.3.a.(2) was revised to\nclarify the need to ensure that certain data fields from the DD Form 1172-2 are included\nas data fields in CVS, and are subsequently completed and transferred to\nDEERS/RAPIDS by the Trusted Agents. Also, Recommendation A.3.b.(2) was revised\nto clarify the need for Verifying Officials to ensure that the contractor, when attempting\nto replace a lost CAC, is still eligible and has a continued need for a CAC by\ncoordinating with the responsible Trusted Agent.\n\nA.1. We recommend that the Deputy Secretary of Defense designate an office with\nthe authority and responsibility for overseeing the DoD contractor Common Access\nCard life cycle, including implementation of policy for logical and physical access.\n\n\n\n\n                                            16\n\x0cA.2. We recommend that the Under Secretary of Defense for Acquisition,\nTechnology, and Logistics direct the Defense Acquisition Regulations Council to\ninclude a standard contract clause in the Defense Federal Acquisition Regulation\nSupplement that, at a minimum, requires contractors to comply with the joint\nCommon Access Card policy in Recommendation A.5. This clause should be\napplicable to all DoD contracts and subcontracts for which contractor or\nsubcontractor personnel receive Common Access Cards.\n\nClient Comments\nThe Principal Deputy Director, Acquisition Resources and Analysis, responding for the\nUSD (AT&L), agreed. The Principal Deputy Director stated that USD (AT&L) plans to\nopen a Defense Federal Acquisition Regulation Supplement case to add appropriate\nregulatory language making contractors accountable for any CACs issued to them,\nincluding returning the CACs if the CAC holder no longer needs or is no longer\nauthorized to use the CAC.\n\nOur Response\nThe Principal Deputy Director\xe2\x80\x99s comments were responsive, and no additional comments\nare required.\n\nA.3. We recommend that the Under Secretary of Defense for Personnel and\nReadiness:\n\n   a. Implement system controls for the Contractor Verification System and the\n      Real-time Automated Personnel Identification System to prevent improper\n      changes to contractor Common Access Card records. System controls\n      should, at a minimum:\n\n       (1) Prevent the Real-time Automated Personnel Identification System from:\n\n              (a) Issuing Common Access Cards to contractors without the\n              approval of a Trusted Agent in the Contractor Verification System.\n\nClient Comments\nThe Deputy Under Secretary of Defense for Program Integration, responding for the\nUSD (P&R), agreed. The Deputy Under Secretary stated that, in October 2008, DMDC\nwill enforce the lock down of DEERS/RAPIDS data entry so that data on contractors\napplying for CACs are entered through CVS.\n\nOur Response\nThe Deputy Under Secretary\xe2\x80\x99s comments were responsive, and no additional comments\nare required.\n\n\n\n\n                                          17\n\x0c               (b) Modifying contractor Common Access Card information\n               approved by the Trusted Agent. When Verifying Officials believe\n               there is an error in a contractor\xe2\x80\x99s record, they should direct the\n               contractor to see his or her Trusted Agent so changes may be made.\n\nClient Comments\nThe Deputy Under Secretary of Defense for Program Integration, responding for the\nUSD (P&R), partially agreed. The Deputy Under Secretary stated that, as indicated in\nthe response to Recommendation A.3.a.(1)(a), DMDC will lock DEERS/RAPIDS data\nentry and see that, as of October 2008, contractor data are entered only through CVS.\nThe Deputy Under Secretary stated that the lock down would prevent DEERS/RAPIDS\nVerifying Officials from modifying contractor eligibility data (specifically, the CAC\nexpiration date) without approval from the Trusted Agent in CVS. Further, the Deputy\nUnder Secretary stated that, to accurately manage identity in DEERS, certain data fields\nwould remain open for update by the Verifying Official in accordance with\nDEERS/RAPIDS procedures (for example, name change due to marriage where a\nscanned marriage certificate is required in DEERS).\n\nOur Response\nThe Deputy Under Secretary\xe2\x80\x99s comments were partially responsive. We agree that the\nlock down is intended to prevent Verifying Officials from modifying contractor data\nwithout approval from the Trusted Agent in CVS, and we acknowledge the need for\ncertain data fields to remain open for modification by the Verifying Official (such as a\nname change due to marriage). However, the Deputy Under Secretary did not specify\nwhich data fields would remain open or the rationale for keeping those fields open for\nmodification by the Verifying Official. We request that the USD (P&R) provide\ncomments on the final report by October 31, 2008, specifying the RAPIDS data fields\nthat will remain open and the rationale for allowing Verifying Officials to modify those\ndata fields.\n\n       (2) Ensure that data fields from the DD Form 1172-2, such as the pay grade\n           and Geneva Conventions category, are added to the Contractor\n           Verification System, and that Trusted Agents subsequently and\n           accurately complete and transfer all fields to the Defense Enrollment\n           Eligibility and Reporting System/Real-time Automated Personnel\n           Identification System.\n\nClient Comments\nThe Deputy Under Secretary of Defense for Program Integration, responding for the\nUSD (P&R), agreed, stating that the October 2008 DEERS/RAPIDS lock down should\nhelp ensure that data entered into CVS are accurately transferred to DEERS/RAPIDS.\n\nOur Response\nThe Deputy Under Secretary agreed; however, we concluded from the response that our\nrecommendation was unclear. As a result, we revised the recommendation to clarify the\n\n\n\n                                           18\n\x0cneed to ensure that certain data fields from the DD Form 1172-2 are included as data\nfields in CVS, and are subsequently completed and transferred to DEERS/RAPIDS by\nthe Trusted Agents. We request that the USD (P&R) review the revised recommendation\nand provide comments on the final report by October 31, 2008.\n\n   b. Implement procedures to prevent:\n\n       (1) Contractors from having multiple active contractor Common Access\n           Cards, unless one is for military service.\n\nClient Comments\nThe Deputy Under Secretary of Defense for Program Integration, responding for the\nUSD (P&R), agreed in principle, stating that such procedures have already been\nimplemented by DoD. The Deputy Under Secretary stated that it is possible for an\nindividual to be a DoD civilian, Military Service reservist, adjunct professor, and\ncontractor at the same time, with each personnel category qualifying an individual for a\nseparate CAC. However, the Deputy Under Secretary stated that it is DoD policy to issue\nonly one active CAC per personnel category, including contractors, and all RAPIDS\nversions currently enforce this policy.\n\nOur Response\nAlthough the Deputy Under Secretary agreed, we consider the comments nonresponsive.\nWe acknowledge that, according to DoD policy, only one active CAC can be issued per\npersonnel category. However, as of July 19, 2007, our analysis of DMDC data showed\nthat 772 U.S. and foreign national contractors had multiple active contractor CACs\n(see Appendix C for details of the number of contractors and CAC types). Because our\nanalysis of the data shows that this DoD policy is not consistently implemented\nthroughout the Department, we request that the USD (P&R) provide comments on the\nfinal report by October 31, 2008, addressing specific actions that will be taken to ensure\nthat the DoD policy for issuing one active CAC per contractor is implemented and\nenforced.\n\n       (2) Verifying Officials from reissuing contractor Common Access Cards\n           when contractors report them as \xe2\x80\x9clost\xe2\x80\x9d unless the Verifying Officials\n           coordinate with responsible Trusted Agents to confirm whether the\n           contractors still have a valid need for Common Access Cards.\n\nClient Comments\nThe Deputy Under Secretary of Defense for Program Integration, responding for the\nUSD (P&R), disagreed. The Deputy Under Secretary stated that the current process\nrequires CVS Trusted Agents to reverify contractors\xe2\x80\x99 continued affiliation with DoD and\nneed for a CAC every 6 months, making any additional reverification redundant. The\nDeputy Under Secretary further explained that the USD (P&R) will establish and publish\nguidelines with steps the Trusted Agent must take to reverify a record in conjunction with\nthe policy that is under development.\n\n\n\n                                            19\n\x0cOur Response\nThe Deputy Under Secretary\xe2\x80\x99s comments were nonresponsive; however, we concluded\nfrom the response that our recommendation was unclear. As a result, we revised the\nrecommendation to clarify the need for Verifying Officials to ensure that the contractor,\nwhen attempting to replace a lost CAC, is still eligible and has a continued need for a\nCAC by coordinating with the responsible Trusted Agent. We request that the\nUSD (P&R) review the revised recommendation and provide comments on the final\nreport by October 31, 2008.\n\n   c. Implement a process that periodically informs Trusted Agents (Government\n      sponsors) when their contractors have not turned in revoked Common\n      Access Cards.\n\nClient Comments\nThe Deputy Under Secretary of Defense for Program Integration, responding for the\nUSD (P&R), disagreed. The Deputy Under Secretary stated that her office recognizes\nthat there are challenges associated with the retrieval of revoked CACs, but that\nimplementing an automated means to periodically inform Trusted Agents when CACs\nhave not been returned will not help with tracking revoked cards. Instead, the Deputy\nUnder Secretary stated that DoD established mechanisms to account for virtually\n100 percent of the CACs that are revoked\xe2\x80\x94to include cards reported lost or stolen, not\nfunctioning properly, terminated due to separation, or expired\xe2\x80\x94and that these cards are\nshown as inactive within the CAC issuance system and certificates are revoked by the\nDoD Public Key Infrastructure. The Deputy Under Secretary further stated that, although\nDoD can account for a majority of the cards that have been returned to DMDC for\ndisposition, some cards cannot be physically accounted for because they were lost or\nstolen, no longer functional, or worn beyond recognition. The Deputy Under Secretary\nexplained that periodic reports to CVS Trusted Agents on CACs reported as not returned\ncould potentially include revoked cards that were returned and properly destroyed. As a\nresult, the Deputy Under Secretary recognized the need to improve procedures for the\nreturn of CACs as a controlled item, including tighter contractual obligations, but stated\nthat this would be done using policy and oversight efforts associated with revocation and\nretrieval of CACs instead of automated methods.\n\nOur Response\nThe Deputy Under Secretary\xe2\x80\x99s proposed corrective actions are partially responsive.\nSpecifically, we acknowledge the Deputy Under Secretary\xe2\x80\x99s recognition of the need for\nimproved procedures for the return of CACs as a controlled item, including tighter\ncontractual obligations, and that policy and oversight efforts, if properly enforced, will\nfacilitate the retrieval of revoked CACs. However, for the Deputy Under Secretary\xe2\x80\x99s\ncomments to be fully responsive, we request that the USD (P&R) provide comments on\nthe final report by October 31, 2008, specifying the policy and oversight efforts that will\nbe implemented to enforce the revocation and retrieval of CACs.\n\n   d. Require the Army and Navy Defense Enrollment Eligibility and Reporting\n      System/ Real-time Automated Personnel Identification System program\n\n\n                                             20\n\x0c       offices to rescind the guidance for issuing 3-year Common Access Cards\n       regardless of the contractors\xe2\x80\x99 terms of service. Rather, the Army and Navy\n       Defense Enrollment Eligibility Reporting System/Real-time Automated\n       Personnel Identification System program offices should direct issuance of\n       Common Access Cards in accordance with DoD policy.\n\nClient Comments\nThe Deputy Under Secretary of Defense for Program Integration, responding for the\nUSD (P&R), agreed, stating that the Defense Human Resources Activity Identification\nCard Policy Office sent e-mails to the DEERS/RAPIDS Service project offices to ensure\nthat contractor CACs are issued with expiration dates in accordance with current policy.\nThe Deputy Under Secretary also stated that she believed the DEERS/RAPIDS Service\nproject offices rescinded any guidance that was contrary in nature.\n\nOur Response\nThe Deputy Under Secretary\xe2\x80\x99s comments were responsive, and no additional comments\nare required.\n\n   e. In accordance with DoD Instruction 5025.01, \xe2\x80\x9cDoD Directives Program,\xe2\x80\x9d\n      October 28, 2007:\n\n       (1) Incorporate or convert Under Secretary of Defense Memorandum,\n           \xe2\x80\x9cDEERS/RAPIDS Lock Down for Contractors,\xe2\x80\x9d November 10, 2005, into\n           a DoD issuance, reissue the memorandum, or cancel it.\n\nClient Comments\nThe Deputy Under Secretary of Defense for Program Integration, responding for the\nUSD (P&R), agreed, stating that as the designated lead for the implementation of\nHomeland Security Presidential Directive-12, the USD (P&R) will incorporate the\nUSD (P&R) Memorandum, \xe2\x80\x9cDEERS/RAPIDS Lock Down for Contractors,\xe2\x80\x9d\nNovember 10, 2005, as well as any additional CAC-related policies under the\nUSD (P&R), into new issuances currently in development. The Deputy Under Secretary\nalso stated that the new issuances include the draft Deputy Secretary of Defense\nDirective-Type Memorandum 08-006 and the draft USD (P&R) Directive-Type\nMemorandum 08-003 that outline the Department\xe2\x80\x99s roles and responsibilities for CAC\nand Homeland Security Presidential Directive-12-related items within the scope of the\naudit. Finally, the Deputy Under Secretary stated that, as required by DoD Directive\n5025.01, \xe2\x80\x9cDoD Directives Program,\xe2\x80\x9d October 28, 2007, these Directive-Type\nMemoranda will be converted into a DoD instruction within 180 days of their release and\nwill include any unaddressed policy-related items associated with controls over\ncontractor CACs to the maximum extent possible.\n\nOur Response\nThe Deputy Under Secretary\xe2\x80\x99s comments were responsive, and no additional comments\nare required.\n\n\n\n                                           21\n\x0c       (2) Coordinate with the DoD Chief Information officer to incorporate or\n           convert Office of the Secretary of Defense Memorandum, \xe2\x80\x9cCommon\n           Access Card (CAC),\xe2\x80\x9d January 16, 2001, into a DoD issuance, reissue the\n           memorandum, or cancel it.\n\nClient Comments\nThe Deputy Under Secretary of Defense for Program Integration, responding for the\nUSD (P&R), agreed and addressed the planned corrective actions in the response to\nRecommendation A.3.e.(1).\n\nOur Response\nThe Deputy Under Secretary\xe2\x80\x99s comments were responsive, and no additional comments\nare required.\n\nA.4. We recommend that the Under Secretary of Defense for Intelligence\nimplement policy that, at a minimum, specifies background investigation\nrequirements and the method and system needed to verify the results of the\nbackground investigations for both U.S. and foreign national contractors who will\nbe issued Common Access Cards.\n\nClient Comments\nThe Under Secretary of Defense for Intelligence neither agreed nor disagreed. However,\nthe Under Secretary stated that Federal standards mandate the NACI as the minimum\nbackground investigation for Homeland Security Presidential Directive-12 credentialing.\nThe Under Secretary stated that interim credentials may be issued upon a favorable\nfingerprint check and the submission of the requisite investigation, that they are\nreviewing solutions to facilitate electronic verification of background investigations, and\nthat they expect implementation by the end of 2009. The Under Secretary also stated\nthat, in partnership with the Office of the Secretary of Defense, the Services, and agency\nstaff, his office is working on policy guidance that will outline the investigative\nrequirement for CAC credentialing throughout DoD. The Under Secretary added that\nCAC credentialing standards will apply to all DoD employees, Military Services,\ncontractors (in staff-like positions requiring logical access), and other DoD personnel\nrequiring physical access for 6 months or more. Finally, the Under Secretary stated that\nspecific guidance to establish credentialing and background investigation standards for\nforeign nationals (non-U.S. citizens, including contractors) is under development with the\nDepartment of State, and that CAC issuance to foreign nationals will be limited and\nstrictly controlled.\n\nOur Response\nThe Under Secretary\xe2\x80\x99s comments were responsive, and no additional comments are\nrequired.\n\n\n\n\n                                            22\n\x0cA.5. We recommend that the Under Secretary of Defense for Personnel and\nReadiness, Under Secretary of Defense for Acquisition, Technology, and Logistics,\nand the Under Secretary of Defense for Intelligence:\n\n   a. Designate within 90 days the lead organization responsible for developing\n      and implementing a joint contractor Common Access Card policy (also see\n      Recommendation D.2.).\n\nClient Comments\nThe Deputy Under Secretary of Defense for Program Integration, responding for the\nUSD (P&R), agreed, stating that the USD (P&R) is the lead for Homeland Security\nPresidential Directive-12, which includes coordination of the policies associated with\nCAC issuance, and that policy development is underway to address the items outlined in\nthe recommendation.\n\nThe Principal Deputy Director, Acquisition Resources and Analysis, responding for the\nUSD (AT&L), agreed, stating that the USD (AT&L) will work with the USD (P&R) and\nthe Under Secretary of Defense for Intelligence to implement these recommendations.\n\nThe Under Secretary of Defense for Intelligence partially agreed, stating that as the\nPrincipal Staff Assistant for Physical Security (access control), Personnel Security\n(background investigations), and the National Industrial Security Program (contractors),\nhis office would, in coordination with the USD (P&R) and the USD (AT&L), develop\npolicy for the DoD CAC for their areas of responsibility. In addition, the Under\nSecretary stated that contractors who are not eligible for the DoD CAC will receive a\nlocal or a DoD alternate, physical-access-only credential, which is under development.\nAdditionally, the Under Secretary stated that his office is developing separate,\ncomprehensive security policy for all categories of individuals requiring access to\nDoD-owned and -controlled facilities worldwide, which will mandate minimum access\ncontrol standards, procedures, and equipment, including requirements for contractors.\n\nOur Response\nThe Deputy Under Secretary\xe2\x80\x99s, Principal Deputy Director\xe2\x80\x99s, and Under Secretary\xe2\x80\x99s\ncomments were responsive, and no additional comments are required.\n\n   b. Implement the joint policy, which at a minimum should require:\n\n       (1) Trusted Agents to coordinate with contracting and security personnel\n           when establishing contractors\xe2\x80\x99 initial and continued affiliation with DoD\n           and need for Common Access Cards, and to maintain evidence of this\n           coordination.\n       (2) Standard procedures resulting from Recommendation A.4. for\n           confirming background checks for contractors applying for Common\n           Access Cards.\n       (3) A limit on the number of contractors a Trusted Agent may sponsor.\n\n\n\n                                           23\n\x0c       (4) Trusted Agents to follow up with contractors who have not returned their\n           Common Access Cards once Recommendation A.3.c. is implemented.\n       (5) Specific Government personnel to recover contractor Common Access\n           Cards when they are no longer needed.\n       (6) Trusted Agents to inform security personnel when contractors do not\n           return revoked Common Access Cards. In addition, security personnel\n           should consider taking action under section 701, title 18, United States\n           Code.\n\nClient Comments\nThe Deputy Under Secretary of Defense for Program Integration, responding for the\nUSD (P&R), agreed with Recommendations A.5.b.(1), (2), (3), (5), and (6), stating that\npolicy development is underway to address these items. The Deputy Under Secretary\ndisagreed with Recommendation A.5.b.(4), stating that although she recognizes the\nchallenges associated with CAC retrieval, instead of attempting to implement the\nautomated notifications referenced in A.3.c., the USD (P&R) will coordinate and\nestablish CAC retrieval policies and procedures.\n\nThe Principal Deputy Director, Acquisition Resources and Analysis, responding for the\nUSD (AT&L), agreed, stating that the USD (AT&L) will work with the USD (P&R) and\nthe Under Secretary of Defense for Intelligence to implement these recommendations.\n\nThe Under Secretary of Defense for Intelligence agreed, stating that his office will\nimplement appropriate policy as referenced and will address physical security\nrequirements for CACs as controlled, U.S. Government property that requires the\nprotection of personally identifiable information; a reporting requirement for lost or\nstolen credentials; and referral to the Department of Justice for violations of section 701,\ntitle 18, United States Code and section 797, title 50, United States Code.\n\nOur Response\nAlthough the Deputy Under Secretary disagreed with Recommendation A.5.b.(4)., the\nproposed corrective action to coordinate and establish CAC retrieval policies and\nprocedures satisfied the intent of this recommendation. Therefore, the Deputy Under\nSecretary\xe2\x80\x99s, Principal Deputy Director\xe2\x80\x99s, and Under Secretary\xe2\x80\x99s comments were\nresponsive, and no additional comments are required.\n\nA.6. We recommend that the Director, Defense Manpower Data Center add a\nnotification screen in the Contractor Verification System that, at a minimum,\ninforms applicants about section 701, title 18, United States Code and explains that\nrevoked Common Access Cards must be returned to specific Government personnel\nas determined in Recommendation A.5.b.(5).\n\nClient Comments\nThe Deputy Under Secretary of Defense for Program Integration, responding for the\nDirector, DMDC, agreed, stating that DMDC will implement a CVS notification message\nduring the second quarter of FY 2009 to inform contractor applicants of their\n\n\n                                             24\n\x0cresponsibility to return terminated or expired CACs to a RAPIDS facility or to specific\nGovernment personnel that will be determined during the course of policy development.\nThe Deputy Under Secretary also stated that the notification message will include a\nreference to section 701, title 18, United States Code and that this information would be\nadded to the CVS online training and user guide.\n\nOur Response\nThe Deputy Under Secretary\xe2\x80\x99s comments were responsive, and no additional comments\nare required.\n\n\n\n\n                                            25\n\x0c26\n\x0cNote: Figure 5 depicts the typical DoD contractor CAC life cycle based on 67 CVS and RAPIDS site visits.\n                                                                                Figure 5. Life Cycle of the DoD Contractor Common Access Card\n\n\n\n\n                                                                                                             27\n\x0c28\n\x0cFinding B. Oversight of Common Access\nCards for Contractors Deploying to\nSouthwest Asia\nThe Army did not verify that Kellogg, Brown, and Root, Inc. (KBR) contractors\ndeploying to Southwest Asia had background checks or Government approval before\nissuing them CACs, or that CACs were recovered after contractor services ended. These\nweaknesses pose a potential national security risk because, as of July 19, 2007, as many\nas 25,428 U.S. and foreign national KBR contractors who deployed in support of\nSouthwest Asia operations may have unauthorized access to DoD resources, installations,\nand sensitive information worldwide. Better Army oversight and CAC life-cycle\nprocedures are required to minimize this risk.\n\nKBR Deployment Processing Center\nKBR has its own Deployment Processing Center in Houston, Texas, which provides\ntraining, equipment, and CACs to KBR contractors deploying to Southwest Asia.\nFigure 7 depicts the KBR CAC life cycle for contractors deploying to Southwest Asia.\nThe CAC issuance process at the KBR Deployment Processing Center occurred as\nfollows.\n\n     \xe2\x80\xa2   KBR hired U.S. or foreign national contractors.\n\n     \xe2\x80\xa2   Kroll Background America, Inc. (hereafter referred to as Kroll), a KBR\n         subcontractor, was hired by KBR to perform background checks on KBR\n         contractors.\n\n     \xe2\x80\xa2   KBR prepared a DD Form 1172-2 for its contractors and notarized photocopies\n         of their passports. KBR sent this information to a contractor at Fort Belvoir,\n         Virginia.\n\n     \xe2\x80\xa2   A contractor working with Army Materiel Command (AMC) at Fort Belvoir,\n         Virginia, reviewed the DD Forms 1172-2 and the notarized passport\n         photocopies. If no errors were detected, the contractor distributed the\n         DD Forms 1172-2 to Government officials for signature and then sent the signed\n         forms back to the KBR Deployment Processing Center.\n\n     \xe2\x80\xa2   SI International, Inc. (SI International) a contractor at the KBR Deployment\n         Processing Center, used RAPIDS to issue CACs to KBR contractors based on\n         their signed DD Forms 1172-2.\n\nAMC and the Deputy Under Secretary of the Army for Business Transformation\n(DUSA-BT) are responsible for monitoring the CAC life cycle at the KBR Deployment\nProcessing Center. Because the KBR contractors were receiving CACs for work under\n\n\n\n                                           29\n\x0ccontract to AMC, AMC was responsible for CAC approval, revocation, and recovery.\nBoth AMC and DUSA-BT were responsible for monitoring CAC issuance at the\nSI International RAPIDS site. The most recent DUSA-BT contract was awarded in\nMarch 2008 for 1 year with an option period for 1 additional year.\n\nContractor Background\nAMC officials had no assurance that KBR contractors received proper background\ninvestigations before being issued CACs. AMC officials relied on background\ninvestigations performed by Kroll, a KBR subcontractor. However, the subcontractor\xe2\x80\x99s\ncriteria for the background investigations performed on KBR contractors did not meet\nGovernment requirements for investigations.\n\nAs discussed in finding A, Homeland Security Presidential Directive-12 and Federal\nInformation Processing Standard 201-1 require contractors seeking a CAC to have NACI\nor equivalent investigations (see page 9 for details on background investigation\nrequirements). KBR hired Kroll to perform background investigations for the company\xe2\x80\x99s\nU.S. and foreign national contractors deploying to Southwest Asia. However, the\ninvestigations did not meet the requirements of a NACI or equivalent background\ninvestigation.16 Table 4 contrasts NACI requirements with those of the background\ninvestigations performed by Kroll for KBR employees.\n\n        Table 4. Comparison of Background Investigation Requirements\n     NACI (Required)               KBR Subcontractor Investigation\n                          U.S. Background Check       Foreign National Check\nLaw enforcement records,                 Checks Federal records,                 Not Completed\n5 years                               criminal records, outstanding\n                                        warrants for arrest, \xe2\x80\x9cAlso\nFBI name check                         Known As\xe2\x80\x9d records, Social                 Not Completed\n                                        Security number, county\nFBI National Criminal                records, probation, and pending             Not Completed\nHistory Fingerprint Check                     Court Records\nEmployment records,                         Not Completed                        Not Completed\n5 years\nEducation records, 5 years                  Not Completed                        Not Completed\nResidential records, 3 years              Address Histories                      Not Completed\n\nReferences                                  Not Completed                        Not Completed\nDefense Clearance and                       Not Completed                        Not Completed\nInvestigations Index\nSecurity/Suitability                        Not Completed                        Not Completed\nInvestigations Index\n\n\n16\n For our statistical sample analysis in finding A, 27 of 30 contractors were issued their CACs at the KBR\nDeployment Processing Center without a NACI or equivalent background investigation.\n\n\n                                                    30\n\x0cThe Kroll background investigations of U.S. contractors were more thorough than those\nof foreign national contractors, who were required to provide only a 7-year police record\nfrom their country of origin. Kroll\xe2\x80\x99s only contractual requirement for foreign nationals\nwas to verify that the police record was authentic. Army officials allowed U.S. and\nforeign national contractors to obtain a CAC without the required background\ninvestigation. This practice poses a potential national security risk that may result in\nunauthorized access to DoD resources, installations, and sensitive information\nworldwide.\n\nGovernment Sponsor\xe2\x80\x99s Approval\nAMC officials do not know whether KBR contractors were properly sponsored before\nthey were issued CACs. Specifically, Government officials sponsoring KBR contractors\nwere geographically removed, requiring these officials to depend on KBR. Additionally,\nAMC officials allowed the KBR contractors and foreign nationals to use the\nDD Form 1172-2 instead of the Government mandated CVS to obtain sponsorship for the\nCAC. Government officials also relied on a contractor to sponsor KBR contractors.\n\nUse of DD Form 1172-2\nAs of July 2008, KBR contractors deploying to Southwest Asia were not required to\napply for a CAC through CVS. Therefore, CVS reverification was bypassed, signifying\nthat the Army had no assurance that KBR contractors had a continued need for CACs\n(see page 12 for CVS reverification requirements). Instead of using CVS, these\ncontractors applied for their CACs using DD Form 1172-2. According to KBR officials,\nthe company deployed 1,200 to 1,600 contractors per month, making the use of CVS\ndifficult. Considering the number of KBR contractors processed every month, Army\nCAC program officials agreed that requiring KBR to use CVS would restrict the Army\xe2\x80\x99s\nmission in Southwest Asia. We were unable to obtain any evidence to support these\nopinions, and there was no official guidance issued by the Army CAC program office for\nthis practice.\n\nThe P&R Memorandum required the use of CVS for all contractors and did not authorize\nthe continued use of the DD Form 1172-2. However, AMC officials believed they had a\nwaiver to this policy because they received an e-mail from the DEERS/RAPIDS Project\nOffice, U.S. Army Human Resources Command. This e-mail stated that AMC could\ncontinue using DD Form 1172-2 to authorize CAC issuance and that an official waiver\nfrom USD (P&R) was not necessary. According to the Office of Inspector General,\nOffice of General Counsel, U.S. Army Human Resources Command had no authority to\nwaive a policy issued by USD (P&R).\n\nKBR Government Sponsors\nGovernment officials located at Fort Belvoir, Virginia, were supposed to sponsor KBR\ncontractors in Houston, Texas, who were applying for CACs. However, a contractor\nreviewed and was also authorized to approve KBR contractors\xe2\x80\x99 DD Forms 1172-2 by\ncomparing them with photocopies of applicants\xe2\x80\x99 passports. Verification of background\nchecks, which is normally a Government function, was not performed on KBR\ncontractors prior to approving the contractors\xe2\x80\x99 DD Forms 1172-2. According to AMC\n\n\n                                           31\n\x0cofficials, the contractor reviewed the DD Forms 1172-2 and placed them on the\nGovernment officials\xe2\x80\x99 desks for signature. In effect, a contractor was sponsoring\ncontractors, even though, technically, Government officials were signing the\nDD Forms 1172-2.\n\nArmy Oversight of CAC Issuance at the RAPIDS Site\nRun by SI International\nOfficials from AMC and the Office of the DUSA-BT did not provide oversight of the\nRAPIDS CAC issuance site collocated with the KBR Deployment Processing Center in\nHouston, Texas. This site was operated by SI International, which was awarded a task\norder by AMC using a DUSA-BT contracting vehicle. The contractor-run RAPIDS site\nissues CACs to all eligible recipients, but the majority of CAC recipients using this site\nwere KBR contractors deploying to Southwest Asia.\n\nAMC and DUSA-BT relied on contractors to perform contract oversight. Specifically,\nSI International provided monthly status reports to the contracting officer\xe2\x80\x99s representative\nand functional representative.17 In these reports, SI International reported its own\nperformance to DUSA-BT, a practice that gave no assurance that contract requirements\nwere being achieved. In addition, prior to March 2008, the functional representative for\nthe contract was a contractor who was not on-site to assess SI International\xe2\x80\x99s\nperformance. The task order awarded in March 2008 appointed a Government employee\nto be the functional representative; however, this individual also was not on-site to assess\nSI International\xe2\x80\x99s performance. See Figure 6 for the current organization of oversight for\nthis contract.\n\n                                          Deputy Under Secretary of the Army for Business\n                                                         Transformation\n\n\n                                                 Contracting Officer\xe2\x80\x99s Representative\n                                                           Arlington, VA\n\n\n          Functional Representative (AMC)\n                 Fort Belvoir, VA\n\n\n                                              RAPIDS Site Run by SI International, Inc.\n                                                          Houston, TX\n\n         Figure 6. Organization of Oversight for the SI International Contract\n\n\n17\n  DUSA-BT defines the functional representative as the person who serves as the on-site representative to\ndirectly observe and assess contractor performance against contract performance standards defined in the\ncontract Performance Requirements Summary.\n\n\n                                                    32\n\x0cWe tested two of the three contract performance standards in the SI International\ncontract.\n\n     \xe2\x80\xa2   All issued CACs must be accurate, comply with regulatory guidance, and identify\n         the appropriate privileges for each recipient.\n\n     \xe2\x80\xa2   Data entries in RAPIDS must be 100-percent accurate.\n\nOur testing showed that these performance standards were not achieved. Specific\ndeviations included the following.\n\n     \xe2\x80\xa2   CVS was not used to sponsor contractors for CACs.\n\n     \xe2\x80\xa2   Approximately 99 percent of all CACs issued at the site, which were still active as\n         of July 19, 2007, were automatically valid for a 3-year period instead of the\n         contract period of performance.\n\n     \xe2\x80\xa2   Nine out of thirty CACs were issued without sponsorship based on reviewed\n         DD Forms 1172-2.\n\n     \xe2\x80\xa2   RAPIDS Verifying Officials modified information approved on DD Form 1172-2\n         for 5 out of 30 CACs tested.\n\nTo improve performance at the SI International RAPIDS site, the AMC functional\nrepresentative should assess contractor performance, and DUSA-BT should address the\nperformance assessment with AMC and SI International during the quarterly interim\nprogress reviews as required by the task order. This oversight should occur prior to\nawarding option periods to SI International for the RAPIDS CAC issuance contract.\n\nCAC Recovery\nKBR officials stated that when contractors redeploy to the United States from Southwest\nAsia, the CACs are collected by KBR and submitted to military officials. However, from\nJanuary 1 through June 30, 2007, 957 out of 1,966 revoked KBR contractor CACs were\nnot recovered by DoD (48.7 percent). In addition, we could not determine whether DoD\nrecovered 297, or 15.1 percent, of the 1,966 revoked CACs. CAC recovery did not\nalways occur because the CAC and P&R Memoranda did not specify Government\nofficials responsible for collecting revoked CACs. Also, CACs were issued to KBR\ncontractors for 3 years, the maximum period authorized for a CAC. This poses a\npotential national security risk because if a KBR contractor\xe2\x80\x99s CAC was revoked after\n1 year18 but not recovered, the contractor could still use the CAC as a \xe2\x80\x9cflash pass\xe2\x80\x9d to gain\nphysical access to DoD installations worldwide.\n\n\n18\n Based on interviews with CVS Trusted Agents, most service contracts are issued for a 1-year period.\nTherefore, most contractor CACs should be valid for only 1 year.\n\n\n                                                   33\n\x0cConclusion\nArmy officials did not perform the necessary oversight to verify that KBR contractors\ndeploying to Southwest Asia had authorized access to DoD resources, installations, and\nsensitive information. AMC officials relied on a KBR subcontractor to perform\nbackground investigations of KBR contractors; however, the investigations did not meet\nGovernment requirements for CAC issuance. AMC officials also relied on a contractor\ninstead of a Government employee to sponsor KBR contractors, and relied on KBR to\nrecover CACs. Further, AMC officials did not use CVS, which offered better\nmanagement of contractor CACs than did DD Form 1172-2. Finally, AMC and\nDUSA-BT relied on SI International to issue CACs to KBR contractors without\nGovernment oversight to ensure SI International was complying with contractual\nrequirements. See Figure 7 at the end of this finding for a summary of the contractor\nCAC life cycle for KBR contractors in Southwest Asia.\n\nA subsequent audit of contractor CACs in Southwest Asia may make additional\nrecommendations about the CAC life cycle for KBR contractors deploying to Southwest\nAsia.\n\nClient Comments on the Finding and Our Response\nClient Comments\nThe Program Manager, HRsolutions Program Office, responding for the DUSA-BT,\nprovided general comments on the finding. Specifically, the Program Manager stated\nthat the RAPIDS site that SI International operates is housed within the KBR\nDeployment Processing Center. The Program Manager also stated that eight 3-month\noption periods were awarded; however, the current contract (awarded in March 2008)\nwas for 1 year with an option period for 1 additional year.\n\nThe Program Manager also stated that, although SI International reports its own\nperformance, those monthly performance reports are reviewed and accepted by the\nGovernment functional representative and the quality assurance representative in the\nHRsolutions Program Office. In addition, the Program Manager stated that\nSI International operates in accordance with a quality control plan specific to its task\norder, which is approved by the contracting officer\xe2\x80\x99s representative and that the\nfunctional representative for this site is a Government civilian as are all his office\xe2\x80\x99s other\n(140 or more) functional representatives.\n\nFinally, the Program Manager stated that SI International did not recall issuing CACs to\ncontractors without Government sponsorship, and to SI International\xe2\x80\x99s knowledge, all\nCACs were issued with authorized Government signatures. Further, the Program\nManager stated that SI International RAPIDS Verifying Officials did modify information\napproved on DD Forms 1172-2, for example, by fixing misspellings, but the\nSI International RAPIDS Verifying Officials did not change pertinent data on\nentitlements or authorized periods of entitlement.\n\n\n\n\n                                              34\n\x0cOur Response\nWe acknowledge that the RAPIDS site operated by SI International is housed within the\nKBR Deployment Processing Center. In addition, we updated the finding to clarify that\nthe most recent task order, for SI International\xe2\x80\x99s services, was awarded with 1 base year\nand an option period for 1 additional year.\n\nIn addition, we acknowledge that SI International routes its monthly status reports\nthrough Government officials; however, the task order states that the Government will\nevaluate the contractor\xe2\x80\x99s performance under the contract in accordance with the\nperformance assessment plan. According to the performance assessment plan, the\nfunctional representative is responsible for conducting quarterly visits and assessing\ncontractor performance against contract performance standards. Therefore, the functional\nrepresentative should have assessed SI International\xe2\x80\x99s performance.\n\nWe updated the finding to indicate that the functional representative, as of March 2008,\nwas a Government civilian. However, during the audit we obtained evidence that prior to\nMarch 2008, the functional representative was a contractor. Also, although\nSI International does not recall issuing CACs without Government sponsorship, our\nevidence shows that SI International did issue CACs to contractors without a\nDD Form 1172-2 and changed authorized periods of entitlement (expiration dates),\ne-mail certificate privileges, and Geneva Conventions codes.\n\nRecommendations, Client Comments, and Our\nResponse\n\nRevised, Added, and Renumbered Recommendations\nAs a result of client comments, we revised draft Recommendation B.2. to clarify the\nnature of the actions needed to monitor the RAPIDS site run by SI International at the\nKBR Deployment Processing Center. Specifically, Recommendation B.2. was revised to\nrequire the functional representative, working for the Logistics Civil Augmentation\nProgram Operations Directorate, to perform contract monitoring functions and to report\ncontractor performance to DUSA-BT. Also, Recommendation B.3. was added to require\nDUSA-BT to facilitate quarterly interim progress reviews, in accordance with the\nSI International task order. In addition, draft Recommendation B.3. was renumbered as\nRecommendation B.4.\n\nB.1. We recommend that the Commander, Army Materiel Command:\n\n       a. Mandate use of the Contractor Verification System at the Kellogg, Brown,\nand Root, Inc. Deployment Processing Center and appoint Government employees\nto sponsor Kellogg, Brown, and Root, Inc. contractors in the Contractor\nVerification System in accordance with the Under Secretary of Defense for\nPersonnel and Readiness Memorandum, \xe2\x80\x9cDEERS/RAPIDS Lock Down for\nContractors,\xe2\x80\x9d November 10, 2005.\n\n\n\n                                            35\n\x0cClient Comments\nThe Executive Deputy to the Commanding General, AMC, responding for the\nCommander, AMC, agreed, stating that AMC will ensure compliance and would use\nCVS by September 1, 2008.\n\nOur Response\nThe Executive Deputy\xe2\x80\x99s comments were partially responsive. We acknowledge the\nExecutive Deputy\xe2\x80\x99s actions to ensure compliance and use CVS by September 1, 2008.\nHowever, the Executive Deputy did not address whether Government employees would\nbe appointed to perform TASM and Trusted Agent duties. Therefore, we request that the\nCommander, AMC, provide comments on the final report by October 31, 2008,\naddressing the appointment of Government employees to sponsor KBR contractors in\nCVS.\n\n       b. Verify that Kellogg, Brown, and Root, Inc. contractors undergo\nbackground checks that meet Homeland Security Presidential Directive-12 and\nFederal Information Processing Standard 201-1 requirements prior to issuing these\ncontractors Common Access Cards, and maintain evidence of these background\nchecks, (See Recommendation A.5. for additional information.)\n\nClient Comments\nThe Executive Deputy to the Commanding General, AMC, responding for the\nCommander, AMC, agreed. The Executive Deputy acknowledged that KBR contractors\nshould undergo background checks and explained procedures that AMC will implement\nto verify that KBR contractors undergo background checks.\n\nOur Response\nThe Executive Deputy\xe2\x80\x99s comments were partially responsive. We agree that the steps\noutlined by the Executive Deputy will correct many of the identified weaknesses.\nHowever, the Executive Deputy did not provide details regarding what evidence would\nbe maintained for verifying background checks prior to CAC issuance. Therefore, we\nrequest that the Commander, AMC, provide comments on the final report by\nOctober 31, 2008, that address maintaining appropriate evidence of background checks.\n\n   c. Confirm DoD affiliation of contractors before approving their Common\n      Access Card requests, and maintain evidence of such confirmation.\n\nClient Comments\nThe Executive Deputy to the Commanding General, AMC, responding for the\nCommander, AMC, agreed. The Executive Deputy explained procedures that AMC will\nimplement to confirm the contractors\xe2\x80\x99 affiliation with DoD before approving their CACs\nand stated AMC will maintain a file of such information.\n\n\n\n\n                                          36\n\x0cOur Response\nThe Executive Deputy\xe2\x80\x99s comments were responsive, and no additional comments are\nrequired.\n\n   d. Implement procedures to recover Common Access Cards from Kellogg,\n      Brown, and Root, Inc. contractors when the cards are expired or no longer\n      needed.\n\nClient Comments\nThe Executive Deputy to the Commanding General, AMC, responding for the\nCommander, AMC, agreed. The Executive Deputy explained procedures that AMC will\nimplement to recover contractor-issued CACs.\n\nOur Response\nThe Executive Deputy\xe2\x80\x99s comments were responsive, and no additional comments are\nrequired.\n\nB.2. We recommend that the Commander, Army Materiel Command require the\nfunctional representative to conduct site visits to the SI International Real-time\nAutomated Personnel Identification System site at the Kellogg, Brown, and\nRoot, Inc. Deployment Processing Center to assess contractor performance, in\naccordance with the task order, and to provide the results of the performance\nassessment to the Office of the Deputy Under Secretary of the Army for Business\nTransformation during the quarterly interim progress reviews required by the task\norder.\n\nClient Comments\nThe Program Manager, HRsolutions Program Office, responding for DUSA-BT,\ndisagreed, stating that the HRsolutions Program Office was not staffed to assign\npersonnel to monitor work at all of its customers\xe2\x80\x99 sites. The Program Manager stated that\nthe HRsolutions Program Office monitors task order performance through interim\nreviews, monthly reports, the quality control plan, and dialogue with the contracting\nofficer\xe2\x80\x99s representative.\n\nThe Program Manager stated that AMC used a DUSA-BT contract to purchase a\nrequirement that was awarded by the Army\xe2\x80\x99s Contracting Center of Excellence. The\nProgram Manager stated that, in accordance with the task order, the functional\nrepresentative is tasked with conducting quarterly visits and assessing contractor\nperformance against contract performance standards. The Program Manager further\nstated that the contracting officer\xe2\x80\x99s representative employed by DUSA-BT is responsible\nfor execution and oversight.\n\nThe Program Manager acknowledged that no contracting officer\xe2\x80\x99s representative or other\nGovernment employee was on site at the RAPIDS facility within the KBR Deployment\nProcessing Center. However, the Program Manager stated that in the past, AMC\n\n\n                                           37\n\x0cLogistics Civil Augmentation Program employees visited the KBR Deployment\nProcessing Center to perform oversight and ensure security requirements were met. The\nProgram Manager also stated that AMC relied on Defense Contract Management Agency\nemployees in the Houston area to visit the SI International RAPIDS site within the KBR\nDeployment Processing Center when a Government presence was required. Further, the\nProgram Manager stated that monthly reports from the contractor, SI International,\nindicate that the site was in compliance with contractual requirements.\n\nThe Program Manager recommended that AMC continue to make quarterly site visits to\nthe SI International RAPIDS site to monitor the CAC process, and stated that DUSA-BT\nwould continue to monitor the SI International task order in the same manner as his office\ndid the other 140 or more task orders.\n\nOur Response\nThe Program Manager\xe2\x80\x99s comments were partially responsive. We acknowledge that\nAMC, as the customer, should assess the contractor\xe2\x80\x99s performance, but we also recognize\nthat DUSA-BT is ultimately responsible for contract execution and oversight and should\nfacilitate quarterly progress reviews to ensure that appropriate performance monitoring\noccurs. Although SI International\xe2\x80\x99s monthly status reports indicate that performance\nstandards were met, these reports were written by the contractor assessing its own\nperformance. Therefore, we revised Recommendation B.2. to require the functional\nrepresentative, working for the Logistics Civil Augmentation Program Operations\nDirectorate, to perform contract monitoring functions and report contractor performance\nto DUSA-BT, in accordance with the task order. In addition, we added\nRecommendation B.3. to require DUSA-BT to facilitate quarterly progress reviews, in\naccordance with the SI International task order. We request that the Commander, AMC,\nreview the revised recommendation and provide comments on the final report by\nOctober 31, 2008.\n\nB.3. We recommend that the Deputy Under Secretary of the Army for Business\nTransformation facilitate quarterly progress reviews of the Common Access Card\nissuance site run by SI International with representatives from the Army Materiel\nCommand, as required in the SI International task order, and maintain evidence of\nwhat occurred during these reviews in the official contract file.\n\nClient Comments\nSee the discussion under Recommendation B.2.\n\nOur Response\nAs a result of comments from the Program Manager, HRsolutions Program Office, we\nadded Recommendation B.3. to require DUSA-BT to facilitate quarterly progress\nreviews, in accordance with the SI International task order. Therefore, we request that\nDUSA-BT review the added recommendation and provide comments on the final report\nby October 31, 2008.\n\n\n\n\n                                           38\n\x0cB.4. We recommend that the Adjutant General, U.S. Army Human Resources\nCommand inform the U.S. Army Defense Enrollment Eligibility and Reporting\nSystem / Real-time Automated Personnel Identification System Project Office that it\nis not permitted to waive DoD policy unless explicitly delegated that authority.\n\nClient Comments\nThe Adjutant General, U.S. Army Human Resources Command agreed, stating that\ncorrective action has been taken to ensure that the Army DEERS/RAPIDS project office\ncomplies with DoD identity card issuance policies and procedures. The Adjutant General\nalso stated that the Army DEERS/RAPIDS Project Office has been notified that any\ndeviation from DoD policy will not occur without prior coordination and approval from\nthe Office of the Secretary of Defense.\n\nOur Response\nThe Adjutant General\xe2\x80\x99s comments were responsive, and no additional comments are\nrequired.\n\n\n\n\n                                         39\n\x0c40\n\x0cFigure 7. CAC Life Cycle for KBR Contractors Deploying SWA\n\n\n\n\n                           41\n\x0c42\n\x0cFinding C. Identification of U.S. and Foreign\nNational Contractors\nU.S. and foreign national contractors with CACs were misidentified as U.S. Government\npersonnel. Specifically, DMDC data indicated that:\n\n   \xe2\x80\xa2   40,055 out of 420,822 contractor CACs indicated their holders had General\n       Schedule (GS) pay grades and were Government personnel; and\n\n   \xe2\x80\xa2   208,636 out of 289,352 U.S. contractors and 3,215 out of 3,459 foreign national\n       contractors with CAC e-mail signature and encryption certificates had e-mail\n       addresses identifying them as U.S. Government personnel.\n\nThis misidentification poses a potential national security risk because U.S. and foreign\nnational contractors could misrepresent themselves both in person and on DoD networks\nto improperly obtain sensitive information or Government privileges worldwide.\nUSD (P&R) should implement additional system controls for CVS and RAPIDS to\nprevent misidentification of contractors.\n\nClassification of U.S. Government Personnel\nIn general, the CACs of civilians and contractors are assigned one of four personnel\nclassifications: GS, Senior Executive Service (SES), GS-Equivalent, or Other. Both GS\nand SES classifications represent pay grades for Federal civilian employees, while\nGS-Equivalent or Other are reserved for contractors.\n\nPay Grade\nOut of 420,822 DoD and non-DoD contractors, approximately 9.5 percent, or 40,055, had\nCACs that were inappropriately assigned GS pay grades. This occurred because\nRAPIDS does not include controls to limit pay grade entries to GS-Equivalent or Other\nfor U.S. and foreign national contractors. In addition, the CVS application, which must\nbe approved before CAC issuance, does not include sections that would allow Trusted\nAgents to:\n\n   \xe2\x80\xa2   identify the pay grade of U.S. and foreign national contractors as GS-Equivalent\n       or Other, or\n\n   \xe2\x80\xa2   distinguish the U.S. and foreign national contractors who require a Geneva\n       Conventions CAC (defined on the following page).\n\nBecause of these limitations, RAPIDS Verifying Officials enter the pay grades and\nGeneva Conventions code based on contractors\xe2\x80\x99 deployment documents. As a result,\ncontractors with inappropriate pay grades on their CACs could obtain sensitive\ninformation and benefits such as housing and transportation that are available only to\nU.S. Government personnel. Additionally, contractors inappropriately classified as a\n\n\n                                            43\n\x0csenior civilian Government employee could be given higher priority for transport in\ntheaters of combat, affecting the combatant Commander\xe2\x80\x99s priorities. This mistaken\nprecedence could further affect the Commander\xe2\x80\x99s priorities in supporting the warfighter.\nTable 5 provides details for the contractor CACs with inappropriate GS pay grades.\n\n                 Table 5. Contractors With Inappropriate GS CACs\n                         Pay Grade       Number of Contractors\n                           GS-01                  691\n                           GS-02                  127\n                           GS-03                  236\n                           GS-04                  773\n                           GS-05                2,588\n                           GS-06                1,043\n                           GS-07                1,608\n                           GS-08                  986\n                           GS-09                2,963\n                           GS-10                1,405\n                           GS-11                3,307\n                           GS-12               12,354\n                           GS-13                6,670\n                           GS-14                2,856\n                           GS-15                2,448\n                          TOTAL                40,055\n\nIn addition, we identified 6 out of 420,822 contractors who were assigned SES pay\ngrades on their CACs. Although this misclassification did not occur often, RAPIDS\nshould be modified to disallow both GS and SES pay grades for contractors.\n\nGeneva Conventions CAC\nOf the 40,061 contractor CACs that were inappropriately assigned GS or SES pay grades,\n40,055 were Geneva Conventions CACs. Contractors are not required to have GS or SES\npay grades to obtain a Geneva Conventions CAC; instead, contractors should be assigned\nthe pay grade \xe2\x80\x9cOther\xe2\x80\x9d to prevent contractors from being misidentified as Government\npersonnel.\n\nThe Geneva Conventions Identification Card for Civilians Accompanying the Armed\nForces, referred to as a Geneva Conventions CAC, differs from other types of CACs.\nSpecifically, Geneva Conventions CACs are issued to civilians and contractors who\naccompany the Armed Forces during a conflict, combat, or contingency operation.\nCivilians and contractors use the Geneva Conventions CAC to receive commissary,\nexchange, morale, welfare, and recreation benefits and medical privileges while they\naccompany the Armed Forces.\n\nThe Geneva Conventions CAC looks like other CACs; however, there is no green stripe\nto identify contractors, and the bearer\xe2\x80\x99s pay grade is printed on the front of the card.\n\n\n\n\n                                           44\n\x0cFigure 8 shows a Geneva Conventions CAC and details the items printed on the front and\nback of the card. Figure 9 shows a contractor or foreign national CAC for comparison.\n\n\n                                           There is no green color band to help\n                                           identify contractors on the Geneva\n                                                    Conventions CAC\n\n                                                    Pay Grade\n\n\n\n\n                Figure 8. Geneva Conventions CAC for Contractors\n\n\n\n\n                                                   Color Band\n\n\n\n\n      Figure 9. CAC With Color Band for Contractors and Foreign Nationals\n\nTrusted Agents are more suitable for entering pay grade and Geneva Conventions code\nbecause, as the sponsors, they have more knowledge than Verifying Officials of\ncontractors\xe2\x80\x99 information and need for CACs. Additionally, some Trusted Agents were\nalso DoD contracting personnel. Therefore, Trusted Agents were familiar with contract\n\n\n                                          45\n\x0cscope and work requirements. If Trusted Agents were responsible for entering pay\ngrades and Geneva Conventions codes in CVS, and if those fields were blocked in\nRAPIDS, Verifying Officials would be unable to modify the data.\n\nE-mail Addresses\nDoD Instruction 8500.2, \xe2\x80\x9cInformation Assurance (IA) Implementation,\xe2\x80\x9d February 6,\n2003, requires all systems that process sensitive information to have a control called\n\xe2\x80\x9caffiliation display.\xe2\x80\x9d Affiliation display requires contractors to have \xe2\x80\x9c.ctr\xe2\x80\x9d in their e-mail\naddresses, and foreign national contractors to have their two-digit country code in their\ne-mail addresses. Table 6 provides examples of proper contractor and foreign national\ne-mail addresses, display names, and automated signature blocks, based on DoD\nInstruction 8500.2.\n\n     Table 6. Appropriate Contractor and Foreign National E-mail Identifiers*\nAffiliation Display                      Examples\nDoD user e-mail address                  john.smith.ctr@army.mil or\n                                         john.smith.uk@army.mil or\n                                         john.smith.ctr.uk@army.mil**\nDoD user e-mail display name             John Smith, Contractor,\n                                         john.smith.ctr@army.mil; or\n                                         John Smith, United Kingdom,\n                                         john.smith.uk@army.mil\nAutomated signature block                John Smith, Contractor, J-6K, Joint Staff or\n                                         John Smith, United Kingdom, J-6K, Joint\n                                         Staff\n*Our primary focus was on the \xe2\x80\x9c.mil\xe2\x80\x9d and \xe2\x80\x9c.ctr\xe2\x80\x9d e-mail address identifiers.\n** The e-mail identifies contractors who are also foreign nationals.\n\nE-mail addresses for 208,636 out of 289,352 U.S. contractors and 3,215 out of 3,459\nforeign national contractors misclassified them as U.S. Government personnel.19\nSpecifically, contractors\xe2\x80\x99 e-mail addresses were written in the same format as\nU.S. Government personnel rather than a format identifying them as being either U.S. or\nforeign national contractors. Misclassification occurred because information assurance\npersonnel did not establish e-mail addresses for U.S. and foreign national contractors in\naccordance with DoD Instruction 8500.2. Also, CVS and RAPIDS were not designed to\nreject the incorrect e-mail addresses.\n\nFurthermore, Verifying Officials stated that they granted U.S. and foreign national\ncontractors logical access to DoD networks if the contractors were able to provide a\n\xe2\x80\x9c.mil\xe2\x80\x9d e-mail address. Because the Verifying Official does not sponsor the contractor, it\nwould be more appropriate for the CVS Trusted Agent to determine whether contractors\n\n19\n  Based on the active CAC data obtained from DMDC, all of these contractors had three Public Key\nInfrastructure certificates on their CACs. These certificates, among other things, are used to validate an\nindividual\xe2\x80\x99s identity and right to send and receive sensitive information through DoD Web sites and\nmilitary (.mil) e-mail addresses.\n\n\n                                                     46\n\x0crequire logical access to sensitive DoD networks. However, CVS did not require Trusted\nAgents to make this determination.\n\nConclusion\nDMDC data indicated that RAPIDS did not have controls to limit pay grade entries, and\nCVS did not have a field for identifying U.S. and foreign national contractors as either\nGS-Equivalent or Other. In addition, neither system was designed to reject contractors\xe2\x80\x99\ne-mail addresses if they lacked the \xe2\x80\x9c.ctr\xe2\x80\x9d identifier. As a result, U.S. and foreign national\ncontractors\xe2\x80\x99 CAC applications were approved in CVS even though their e-mail addresses\nlacked proper identifiers, and U.S. and foreign national contractors were issued CACs\nwith pay grades that misidentified them as U.S. Government employees. Both the\nmisclassification of pay grades and inappropriate e-mail addresses increase potential risks\nto national security in the following ways.\n\n   \xe2\x80\xa2   DoD military and civilian personnel may inadvertently disclose controlled or\n       sensitive information to U.S. and foreign national contractors.\n\n   \xe2\x80\xa2   U.S. and foreign national contractors may misrepresent themselves to gain\n       physical and logical access to DoD facilities, resources, and information.\n\n   \xe2\x80\xa2   U.S. and foreign national contractors may be able to obtain transportation and\n       other support before military personnel in theater, affecting Commanders\xe2\x80\x99\n       priorities in supporting the warfighter.\n\n   \xe2\x80\xa2   U.S. and foreign national contractors could evade DoD oversight.\n\nThese risks would be minimized if pay grades and Geneva Conventions codes were\nassigned in CVS by a Trusted Agent, and if RAPIDS had controls to prevent changes to\nthese fields. Furthermore, risks would be minimized if Trusted Agents recorded their\ndetermination of contractors\xe2\x80\x99 needs for logical access and required appropriate e-mail\naddresses before approving CAC applications. USD (P&R) could effect these changes\nby implementing a CAC recovery plan and adequate system controls.\n\nActions Taken by the Defense Manpower Data Center\nAfter we received the Under Secretary of Defense for Program Integration\xe2\x80\x99s comments\non the draft audit report, we received additional comments from the DMDC Chief,\nOperations-Personnel Identity Protection Solutions Division. The DMDC Chief stated\nthat USD (P&R) will implement a \xe2\x80\x9cpop-up\xe2\x80\x9d screen to inform and remind CVS users that\ncontractors\xe2\x80\x99 e-mail addresses should include a \xe2\x80\x9c.ctr\xe2\x80\x9d identifier. The DMDC Chief also\nstated that USD (P&R) will release this CVS update during the second quarter of\nFY 2009.\n\n\n\n\n                                             47\n\x0cRecommendations, Client Comments, and Our\nResponse\n\nRevised Recommendation\nAs a result of client comments, we revised draft Recommendation C.1.c. to clarify the\nneed to add a field in CVS for Trusted Agents to document a contractor\xe2\x80\x99s need for Public\nKey Infrastructure digital certificates.\n\nC.1. We recommend that the Under Secretary of Defense for Personnel and\nReadiness develop and implement the following system controls in the Contractor\nVerification System and the Real-time Automated Personnel Identification System:\n\n           a. Classify contractor pay grade as \xe2\x80\x9cOther\xe2\x80\x9d and reject incorrect e-mail\n              addresses, as specified in DoD Instruction 8500.2, \xe2\x80\x9cInformation\n              Assurance (IA) Implementation,\xe2\x80\x9d February 3, 2003, for U.S. and\n              foreign national contractors in the Contractor Verification System.\n\nClient Comments\nThe Deputy Under Secretary of Defense for Program Integration, responding for the\nUSD (P&R), partially agreed with implementing system controls to classify pay grades,\nbut disagreed with implementing system controls to reject incorrect e-mail addresses.\nSpecifically, the Deputy Under Secretary stated that the USD (P&R) agrees that\ninappropriate categorization in the pay grade field needs to be addressed for contractors\neligible for the Geneva Conventions Identification Card for Civilians Accompanying the\nArmed Forces. The Deputy Under Secretary explained that RAPIDS, rather than CVS,\nrequires a pay grade to designate an equivalent Geneva Convention code category in\naccordance with DoD Instruction 1000.1, \xe2\x80\x9cIdentity Cards Required by the Geneva\nConventions,\xe2\x80\x9d at the time of CAC issuance, and that classifying contractor pay grade as\n\xe2\x80\x9cOTHER\xe2\x80\x9d in RAPIDS would still require a method to determine the appropriate Geneva\nConventions code category. As a solution, the Deputy Under Secretary proposed that, by\nthe end of 2008, DMDC modify RAPIDS to allow Verifying Officials to continue to\nenter the pay grade for contractors needing Geneva Conventions Identification Cards, but\nthe printed face of all contractor CACs would display only \xe2\x80\x9cOTHER\xe2\x80\x9d for the pay grade.\n\nAs for implementing system controls that reject incorrect e-mail addresses, the Deputy\nUnder Secretary stated that e-mail addresses for CAC holders are stored within the DoD\nPublic Key Infrastructure e-mail signing and e-mail encryption certificates. The Deputy\nUnder Secretary further stated that these fields have no technical function in CAC Public\nKey Infrastructure-based Web site authentication, network authentication, e-mail signing,\nor e-mail encrypting. The Deputy Under Secretary determined that, because the\nrequirement in DoD Instruction 8500.2, \xe2\x80\x9cInformation Assurance (IA) Implementation,\xe2\x80\x9d\nFebruary 6, 2003, to designate contractors and foreign nationals is assigned to the\nnetwork administrators who establish and manage network and e-mail accounts,\nenforcing the rejection of incorrect e-mail addresses within the CAC issuance process\n\n\n\n                                           48\n\x0cwould not limit any system risk associated with the naming convention of network and\ne-mail accounts.\n\nOur Response\nThe Deputy Under Secretary\xe2\x80\x99s comments were partially responsive. We agree with the\nproposed action for DMDC to modify RAPIDS by the end of 2008 so that the printed\nface of all contractor CACs will display only \xe2\x80\x9cOTHER\xe2\x80\x9d for the pay grade. However, we\ndisagree that the requirement in DoD Instruction 8500.2, \xe2\x80\x9cInformation Assurance (IA)\nImplementation,\xe2\x80\x9d February 6, 2003, to designate contractors and foreign nationals is\nassigned to the network administrators who establish and manage network and e-mail\naccounts. Specifically, DoD Instruction 8500.2 requires the heads of the DoD\nComponents, including the USD (P&R), to ensure that DoD information systems acquire\nand employ information assurance solutions. These solutions include the control of\n\xe2\x80\x9caffiliation display,\xe2\x80\x9d which requires contractors to have \xe2\x80\x9c.ctr\xe2\x80\x9d in their e-mail addresses\nand foreign national contractors to have their two-digit country code in their e-mail\naddresses. Therefore, we request that the USD (P&R) reconsider his position on\nRecommendation C.1.a. regarding rejecting incorrect e-mail addresses in CVS and\nprovide comments on the final report by October 31, 2008.\n\n           b. Lock the pay grade field for contractors and reject incorrect e-mail\n              addresses, as specified in DoD Instruction 8500.2, \xe2\x80\x9cInformation\n              Assurance (IA) Implementation,\xe2\x80\x9d February 3, 2003, for U.S. and\n              foreign national contractors in the Real-time Automated Personnel\n              Identification System.\n\nClient Comments\nThe Deputy Under Secretary of Defense for Program Integration, responding for the\nUSD (P&R), partially agreed and referred to the comments in response to\nRecommendation C.1.a.\n\nOur Response\nThe Deputy Under Secretary\xe2\x80\x99s comments were partially responsive. We agree with the\nproposed action for DMDC to modify RAPIDS by the end of 2008 so that the printed\nface of all contractor CACs will display only \xe2\x80\x9cOTHER\xe2\x80\x9d for the pay grade. However, we\ndisagree that the requirement in DoD Instruction 8500.2, \xe2\x80\x9cInformation Assurance (IA)\nImplementation,\xe2\x80\x9d February 6, 2003, to designate contractors and foreign nationals is\nassigned to the network administrators who establish and manage network and e-mail\naccounts. Specifically, DoD Instruction 8500.2 requires the heads of DoD Components,\nincluding the USD (P&R), to ensure that DoD information systems acquire and employ\ninformation assurance solutions. These solutions include the control of \xe2\x80\x9caffiliation\ndisplay,\xe2\x80\x9d which requires contractors to have \xe2\x80\x9c.ctr\xe2\x80\x9d in their e-mail addresses and foreign\nnational contractors to have their two-digit country code in their e-mail addresses.\nTherefore, we request that the USD (P&R) reconsider his position on\nRecommendation C.1.b. regarding rejecting incorrect e-mail addresses in RAPIDS, and\nprovide comments on the final report by October 31, 2008.\n\n\n\n                                            49\n\x0c            c. Add a field in the Contractor Verification System for Trusted Agents\n               to document a contractor\xe2\x80\x99s need for Public Key Infrastructure digital\n               certificates.\n\nClient Comments\nThe Deputy Under Secretary of Defense for Program Integration, responding for the\nUSD (P&R), disagreed, stating that, in coordination with the Assistant Secretary of\nDefense (Networks and Information Integration)/DoD Chief Information Officer and\nduring the DoD instruction development process, CAC holders\xe2\x80\x99 eligibility for network\naccess probably will be defined in greater detail. Furthermore, the Deputy Under\nSecretary stated that determination of eligibility for network logon and the management\nof network accounts may not necessarily rest with the CVS Trusted Agents, but with\nothers in their organization, leaving the value added, practicality, and enforceability of\ncapturing this information in CVS unclear.\n\nOur Response\nWe concluded from the Deputy Under Secretary\xe2\x80\x99s response that our recommendation was\nunclear. We revised the recommendation to clarify the need to add a field in CVS for\nTrusted Agents to document a contractor\xe2\x80\x99s need for Public Key Infrastructure digital\ncertificates. Therefore, we request that the USD (P&R) review the revised\nrecommendation and provide comments on the final report by October 31, 2008.\n\nC.2. We recommend that the Under Secretary of Defense for Personnel and\nReadiness, the Under Secretary of Defense for Intelligence, and the Assistant\nSecretary of Defense (Networks and Information Integration)/DoD Chief\nInformation Officer:\n\n       a.    Designate within 90 days the lead organization responsible for\n            immediately developing and implementing a recovery plan for contractor\n            Common Access Cards showing improper pay grades and e-mail\n            addresses.\n\n       b. Implement the recovery plan for contractor Common Access Cards\n          showing improper pay grades and e-mail addresses.\n\nClient Comments\nThe Deputy Under Secretary of Defense for Program Integration, responding for the\nUSD (P&R), disagreed. The Deputy Under Secretary stated that the USD (P&R)\nrecognizes that the current CAC infrastructure does not prevent a potentially incorrect or\nmisleading pay grade equivalent from being printed on a contractor\xe2\x80\x99s CAC, but this\nwould be corrected. However, the Deputy Under Secretary stated that designating a lead\nand implementing a recovery plan for CACs that are currently in circulation are out of\nproportion to the perceived risks cited in the draft report. The Deputy Under Secretary\nstated specifically that a contractor Geneva Conventions Identification Card for Civilians\nAccompanying the Armed Forces CAC will still indicate that the individual is a\n\xe2\x80\x9cContractor\xe2\x80\x9d or \xe2\x80\x9cForeign Affiliate\xe2\x80\x9d even if the card displays an incorrect pay grade.\n\n\n                                            50\n\x0cFurther, the Deputy Under Secretary stated that there was no evidence in the draft report\nshowing that a pay grade on a contractor\xe2\x80\x99s card was used to authorize any type of access\nor privileges. Furthermore, the Deputy Under Secretary stated that there are significant\ncost implications and operational effects associated with recovering all CACs containing\nincorrect pay grades and e-mail addresses. Therefore, the Deputy Under Secretary\nconcluded that a more appropriate approach would be to let current CACs be revoked and\nexpire in accordance with the normal life cycle and focus on improving the proper pay\ngrade categorizations for new contractor CACs.\n\nThe Under Secretary of Defense for Intelligence agreed, stating that inaccurate\ninformation on contractor CACs poses a security threat and likely may affect\naccreditation of the system under the Privacy Act of 1974. The Under Secretary also\nstated that the Federal credential uses the red color bar to identify First Responders, and\nthat the color bar on contractor CACs, coupled with inaccurate Government civilian pay\ngrades, poses a significant vulnerability to Federal facilities worldwide.\n\nThe Deputy Assistant Secretary of Defense (Information and Identity Assurance),\nresponding for the Assistant Secretary of Defense (Networks and Information\nIntegration)/DoD Chief Information Officer, partially agreed. The Deputy Assistant\nSecretary stated that contractor e-mail addresses are not displayed on the outside of\ncontractor CACs, but appear only in the signing or encryption certificates. The Deputy\nAssistant Secretary explained that, because use of the card for physical access does not\nprovide access to or expose the e-mail address of the card holder, the number of\ncontractor CACs used in Southwest Asia to authenticate the card holders\xe2\x80\x99 eligibility for\naccess to logical resources is very small and poses little risk to DoD operations.\nHowever, the Deputy Assistant Secretary stated that the Assistant Secretary of Defense\n(Networks and Information Integration)/DoD Chief Information Officer intends to work\nclosely with the USD (P&R) and the Under Secretary of Defense for Intelligence to\ndevelop a plan focused on immediate recovery and reissuance of CACs with improper\ne-mail addresses for contractors located in the United States, while improperly issued\ncontractor CACs currently in use in Southwest Asia will be recovered as they expire.\nThe Deputy Assistant Secretary acknowledged that, although recovery and reissuance are\nimportant, the immediate focus should be on correcting issuance procedures.\n\nOur Response\nThe Deputy Under Secretary\xe2\x80\x99s, Under Secretary\xe2\x80\x99s, and Deputy Assistant Secretary\xe2\x80\x99s\ncomments were partially responsive. All three clients acknowledged that recovery and\nreissuance of CACs are important, and the Deputy Under Secretary and Deputy Assistant\nSecretary specifically proposed revoking and recovering contractor CACs as they expire.\nWhile we agree that this recovery plan will be the least costly and onerous to the\nDepartment, we still believe that a lead organization should be designated to coordinate\nthe further development of this recovery plan, and coordination should occur among the\nthree organizations to ensure implementation of the recovery plan. Therefore, we request\nthat the USD (P&R), the Under Secretary of Defense for Intelligence, and the Assistant\nSecretary of Defense (Networks and Information Integration)/DoD Chief Information\n\n\n\n                                             51\n\x0cOfficer reconsider their positions on Recommendations C.2.a. and C.2.b. and provide\ncomments on the final report by October 31, 2008.\n\n\n\n\n                                          52\n\x0cFinding D. Oversight of Common Access\nCard Sponsors\nDoD CVS Service Points of Contact (SPOCs) did not fulfill their oversight\nresponsibilities for appointing CAC sponsors20 and deactivating their accounts. DMDC\ndata indicated that 303 CAC sponsors were contractors, and 45 active CVS CAC\napplication sites had no manager for their sponsors. As a result, contractors and sponsors\nwho left Government service may have been approving CACs. To strengthen oversight\nof CAC sponsors, DoD should implement procedures to:\n\n       \xe2\x80\xa2   verify that CAC sponsors are Government employees,\n\n       \xe2\x80\xa2   verify that each CVS site has managers, and\n\n       \xe2\x80\xa2   confirm periodically that sponsors should still have authorization to approve\n           contractor CACs.\n\nOrganization of CAC Application Sites\nEach Service agency has an SPOC who is responsible for coordinating with DMDC to\nestablish and manage CVS sites and Trusted Agent Security Managers (TASMs). Each\nsite may have no more than two TASMs but is allowed unlimited Trusted Agents. The\nDMDC CVS User\xe2\x80\x99s Guide states that TASMs are responsible for appointing and\nmanaging Trusted Agents, and that neither TASMs nor Trusted Agents shall be\ncontractors. In addition, a TASM may perform all Trusted Agent functions\xe2\x80\x94for\nexample, sponsoring contractors for CACs. Figure 10 shows how a CVS site should be\norganized according to the DMDC CVS User\xe2\x80\x99s Guide.\n\n\n\n\n20\n     CAC sponsors are Trusted Agent Security Managers or Trusted Agents.\n\n\n                                                    53\n\x0c                            Figure 10. Organization of CVS Sites\n\nAppointment of CAC Sponsors\nDMDC data indicated that 303 TASMs and Trusted Agents were contractors.21 These\nsponsors managed 1,291 CVS applications during the first 6 months of 2007. Table 7\ndelineates the classification of CAC sponsors.\n\n                 Table 7. CAC Sponsors by Personnel Classification\n           Classification in DEERS             TASMs         Trusted                          Total\n                                                             Agents\nContractor with active CAC                       22             181                            203\nContractor with active CAC who was also in        6              35                             41\nthe revoked CAC data we obtained\nContractor with revoked CAC                       6              41                              47\nNot in DEERS as a contractor, but has a \xe2\x80\x9c.ctr\xe2\x80\x9d    4               8                              12\ne-mail address\n                     Total                       38             265                            303\n\nAccording to the DMDC CVS User\xe2\x80\x99s Guide, SPOCs establish CVS sites and appoint\nTASMs by sending a digitally signed e-mail to the DMDC Support Office requesting\nnew or additional CVS capability. Then, the DMDC Support Office generates the TASM\nrecord in a system called DEERS Security Online. DEERS Security Online is an\n\n\n21\n  DMDC data indicated that 94 of the 303 TASM and Trusted Agent contractors worked at DMDC Support\nCenters and testing sites. In addition, 3 TASM and Trusted Agent contractors had no CVS site number and\n4 appeared to have accounts that were deactivated, leaving 202 TASM and Trusted Agent contractors\nworking at other CVS sites.\n\n\n                                                  54\n\x0capplication, separate from CVS, used to authorize TASMs and Trusted Agents to perform\ntheir duties.\n\nTASMs also use DEERS Security Online to appoint Trusted Agents. According to\nDMDC officials, DEERS Security Online does not prevent contractors from becoming\nTrusted Agents. Rather, DMDC relied on TASMs to ensure that Trusted Agents were not\ncontractors.\n\nMonitoring and Deactivation of CAC Sponsor Accounts\nDMDC data indicated that 45 CVS sites had no TASM to manage Trusted Agents.\nTrusted Agents at these unmanaged sites processed 2,080 CVS applications during the\nfirst 6 months of 2007. DMDC officials stated that the data showed some sites appeared\nto have no TASMs because the TASMs may never have logged in to CVS, or their use of\nCVS was suspended because of inactivity. Without a TASM, Trusted Agents who left\nGovernment service could not have had their accounts deactivated in CVS. According to\nDMDC data, the accounts of only 10 out of 2,033 TASMs and 10 out of 8,627 Trusted\nAgents have been deactivated since DoD started using CVS in 2006.\n\nThe DMDC CVS User\xe2\x80\x99s Guide states that SPOCs are responsible for working with the\nDMDC Security Team to register, appoint, and remove TASMs. It was unclear how\nSPOCs accounted for TASMs at each CVS site under their Service or agency.\nAdditionally, the DMDC CVS User\xe2\x80\x99s Guide did not include instructions telling TASMs\nto remove a Trusted Agent who no longer needed access to CVS.\n\nConclusion\nDMDC data indicated that CACs could be approved by contractors and by sponsors who\nhave left Government service. This increases the risk of unauthorized access to\nGovernment facilities and information. This risk could be minimized by improving\nsystem controls and increasing SPOC and TASM oversight to strengthen the process for\nappointing TASMs and Trusted Agents and deactivating their CVS accounts.\n\nActions Taken by the Defense Manpower Data Center\nDMDC officials stated that they intended to conduct a self-audit to determine whether\nTASMs and Trusted Agents were contractors, and, if so, to alert SPOCs to take action. In\naddition, DMDC officials confirmed that TASMs and Trusted Agents must be\nGovernment personnel and stated that they communicated this requirement to SPOCs.\n\nAt the end of April 2008, DMDC and the Services started an internal review of Trusted\nAgents who were contractors. DMDC stated that the Services disabled CVS accounts of\nTrusted Agents who were contractors. On September 23, 2008, DMDC officials\nestimated that they would complete this action by November 2008.\n\n\n\n\n                                          55\n\x0cRecommendations, Client Comments, and Our\nResponse\nD.1. We recommend that the Director, Defense Manpower Data Center:\n\n       a. Develop and implement procedures to:\n\n           (1) Verify that Trusted Agent Security Managers and Trusted Agents are\n               Government employees before authorizing sponsorship duties.\n\nClient Comments\nThe Deputy Under Secretary of Defense for Program Integration, responding for the\nDirector, DMDC, agreed, stating that DMDC will implement procedures through the\nSecurity Online System to verify that a TASM or Trusted Agent is a Government\nemployee or military member. In addition, the Deputy Under Secretary stated that, until\na new release of the Security Online System is available, DMDC will provide reports to\nCVS SPOCs to review and determine the appropriate corrective action for those\nidentified to be inappropriately designated as TASMs and Trusted Agents.\n\nOur Response\nThe Deputy Under Secretary\xe2\x80\x99s comments were responsive, and no additional comments\nare required.\n\n           (2) Verify that Contractor Verification System sites have active Trusted\n               Agent Security Managers.\n\nClient Comments\nThe Deputy Under Secretary of Defense for Program Integration, responding for the\nDirector, DMDC, agreed, stating that DMDC currently monitors the activity of TASM\naccounts, and if they are inactive for more than 45 days, the account is automatically\nsuspended; after 60 days, the account is deleted. Additionally, the Deputy Under\nSecretary stated that to reactivate an account the TASM must contact DMDC. Further,\nthe Deputy Under Secretary stated DMDC notifies the CVS SPOCs when there is a site\nwith an inactive TASM.\n\nOur Response\nThe Deputy Under Secretary\xe2\x80\x99s comments were responsive, and no additional comments\nare required .\n\n       b. Establish a plan with defined milestones to identify and deactivate the\n          Contractor Verification System accounts of all current non-Government\n          Trusted Agent Security Managers and Trusted Agents, and implement\n          this plan.\n\n\n\n\n                                           56\n\x0cClient Comments\nThe Deputy Under Secretary of Defense for Program Integration, responding for the\nDirector, DMDC, agreed, stating that DMDC will periodically provide the CVS SPOCs a\nlist of active TASMs and Trusted Agents to review and determine which individuals\nshould not be TASMs or Trusted Agents. After we received the Deputy Under\nSecretary\xe2\x80\x99s official comments, we received additional comments from the DMDC Chief,\nOperations-Personnel Identity Protection Solutions Division, explaining the four phases\ninvolved in deactivating CVS accounts of non-Government TASMs and Trusted Agents.\nThe DMDC Chief stated that Phase Four, requesting Service/Agency compliance with\nremoving non-Government TASMs and Trusted Agents, will be completed by November\n2008.\n\nOur Response\nThe Deputy Under Secretary\xe2\x80\x99s and the DMDC Chief\xe2\x80\x99s comments were responsive, and\nno additional comments are required.\n\nD.2. We recommend that the Under Secretary of Defense for Personnel and\nReadiness; Under Secretary of Defense for Acquisition, Technology, and Logistics;\nand the Under Secretary of Defense for Intelligence incorporate into the joint\nCommon Access Card policy (see Recommendation A.5.) a requirement for\nContractor Verification System Service Points of Contact to confirm periodically\nthat Trusted Agent Security Managers and Trusted Agents are authorized to\napprove contractor Common Access Cards. The joint policy should state how often\nthe Service Points of Contact should perform this action.\n\nClient Comments\nThe Deputy Under Secretary of Defense for Program Integration, responding for the\nUSD (P&R), agreed, stating that procedures and processes would be outlined in the DoD\ninstruction referenced in response to Recommendation A.3.e.(1).\n\nThe Principal Deputy Director, Acquisition Resources and Analysis, responding for the\nUSD (AT&L), agreed, stating that the USD (AT&L) will work with the USD (P&R) and\nthe Under Secretary of Defense for Intelligence to implement this recommendation.\n\nThe Under Secretary of Defense for Intelligence agreed, stating that the staff in the Office\nof the Secretary of Defense has convened a working group to address Homeland Security\nPresidential Directive-12 implementation and CAC policy.\n\nOur Response\nThe Deputy Under Secretary\xe2\x80\x99s, Principal Deputy Director\xe2\x80\x99s, and Under Secretary\xe2\x80\x99s\ncomments were responsive, and no additional comments are required.\n\n\n\n\n                                            57\n\x0c58\n\x0cAppendix A. Scope and Methodology\nWe conducted this performance audit from August 2007 through July 2008 in accordance\nwith generally accepted government auditing standards.1 Those standards require that we\nplan and perform the audit to obtain sufficient, appropriate evidence to provide a\nreasonable basis for our findings and conclusions based on our audit objectives. We\nbelieve that the evidence obtained provides a reasonable basis for our findings and\nconclusions based on our audit objectives.\n\nWe conducted this audit at 32 CVS and 35 RAPIDS sites at the following locations:\n\n       \xe2\x80\xa2    U.S. Army\n               o Headquarters, Department of the Army, Arlington, Virginia\n               o Fort Belvoir, Virginia\n               o Fort Hood, Texas\n               o Fort Bragg, North Carolina\n               o Fort Monmouth, New Jersey2\n\n       \xe2\x80\xa2    U.S. Navy\n               o Commander, Navy Region Mid-Atlantic, Norfolk, Virginia\n               o Commander, Navy Region Southwest, San Diego, California\n               o Naval Station Norfolk, Virginia\n               o Naval Station San Diego, California\n               o Naval Air Station, Patuxent River, Maryland\n\n       \xe2\x80\xa2    U.S. Air Force\n               o Randolph Air Force Base, Texas\n               o Lackland Air Force Base, Texas\n               o Wright-Patterson Air Force Base, Ohio\n               o Edwards Air Force Base, California\n\n       \xe2\x80\xa2    U.S. Marine Corps\n               o Marine Corps Base, Quantico, Virginia\n               o Marine Corps Base, Camp Lejeune, North Carolina\n               o Marine Corps Air Station, New River, North Carolina\n               o Marine Corps Air Station, Miramar, California\n               o Marine Corps Recruit Depot, San Diego, California\n\n\n\n\n1\n We conducted a research project on contractor CACs from June through August 2007. Some evidence\ncollected for this research project was used to support our audit results.\n2\n    Interviews with personnel at this site were performed by telephone.\n\n\n                                                       59\n\x0c    \xe2\x80\xa2    Other\n            o Defense Contract Management Agency, Houston, Texas (KBR\n               Deployment Processing Center)\n            o Defense Finance and Accounting Service, Indianapolis, Indiana\n            o Department of State, Washington, D.C.3\n\nWe interviewed CVS SPOCs, TASMs, Trusted Agents, RAPIDS Site Security Managers,\nand other personnel responsible for the CAC program. We also collected documentation\nabout CVS and RAPIDS procedures as well as information to test these procedures for\ncontractors in our statistical samples. We also interviewed officials from the following:\n\n     \xe2\x80\xa2   Office of the USD (AT&L);\n     \xe2\x80\xa2   Office of the USD (P&R), Defense Human Resources Activity;\n     \xe2\x80\xa2   Office of the Under Secretary of Defense for Intelligence;\n     \xe2\x80\xa2   Office of the Assistant Secretary of Defense (Networks and Information\n         Integration)/DoD Chief Information Officer;\n     \xe2\x80\xa2   Army Materiel Command;\n     \xe2\x80\xa2   U.S. Army Human Resources Command;\n     \xe2\x80\xa2   Office of the Deputy Under Secretary of the Army\xe2\x80\x94Business Transformation\n     \xe2\x80\xa2   Director, DMDC; and\n     \xe2\x80\xa2   Office of the Director, Defense Procurement and Acquisition Policy;\n\nFinally, we performed work at DMDC-East in Arlington, Virginia, and DMDC-West in\nMonterey, California. Specifically, we obtained an understanding of the DEERS,\nRAPIDS, and CVS systems as well as of the data processed and stored within these\nsystems. We also obtained an understanding of how DD Forms 1172-2 were processed\nby DMDC and collected some of these forms for audit testing. In addition, we obtained\nseveral sets of data, from which we drew four statistical samples to perform audit testing.\nThese data sets are explained in the \xe2\x80\x9cUse of Computer-Processed Data\xe2\x80\x9d section, and the\nstatistical samples are explained in the \xe2\x80\x9cUse of Technical Assistance\xe2\x80\x9d section.\n\nReview of Internal Controls\nWe identified material internal control weaknesses in the DoD contractor CAC life cycle\nas defined by DoD Instruction 5010.40, \xe2\x80\x9cManagers\xe2\x80\x99 Internal Control (MIC) Program\nProcedures,\xe2\x80\x9d January 4, 2006. DoD did not have a joint policy that required contractor\nCACs to be consistently approved, issued, reverified, and revoked and recovered.\nFurther, DoD did not have procedures to oversee and verify CAC sponsors and their\nmanagers. In addition, neither CVS nor RAPIDS had automated controls to prevent\nimproper changes to contractor CAC records. Implementing the recommendations in this\nreport should strengthen national security. A copy of this report will be sent to the senior\nDoD official responsible for internal controls.\n\n\n\n3\n Department of State Trusted Agents at this location worked for a CVS site managed by the Department of\nthe Army.\n\n\n                                                  60\n\x0cUse of Computer-Processed Data\nWe relied on six sets of computer-processed data from DMDC for this audit:\n\n       \xe2\x80\xa2    CVS applications from January 1 through June 30, 2007;\n       \xe2\x80\xa2    CVS reverifications from January 1 through June 30, 2007;\n       \xe2\x80\xa2    CVS TASM and TA rosters through July 27, 2007;\n       \xe2\x80\xa2    DEERS records of issued CACs that were active as of July 19, 2007;\n       \xe2\x80\xa2    DEERS records of revoked CACs from January 1 through June 30, 2007; and\n       \xe2\x80\xa2    ILP CAC terminations from January 1 through November 2, 2007.\n\nWe used these data to draw four statistical samples that answered seven questions related\nto the contractor CAC life cycle as follows.\n\n       \xe2\x80\xa2    CVS applications sample\n              o How many applicants worked on valid Government contracts?\n              o How many applicants were approved to have a CAC for the length of their\n                  contract or 3 years, whichever was shorter?\n\n       \xe2\x80\xa2    CVS reverifications sample\n              o How many contractors had a continued need to possess a CAC?\n\n       \xe2\x80\xa2    DEERS records of issued CACs\n              o For how many contractors was information in DEERS consistent with the\n                 information maintained either in CVS or on the DD Form 1172-2?\n              o For how many contractors was the issued CAC supported by either a CVS\n                 application or the DD Form 1172-2?\n              o How many contractors had a completed NACI?\n\n       \xe2\x80\xa2    DEERS records of revoked CACs4\n              o How many revoked CACs were recovered?\n\nIn addition, we used computer-processed data to test the following nonsample questions.\n\n        \xe2\x80\xa2   How many TASMs and TAs were contractors?\n        \xe2\x80\xa2   How many TASMs and TAs were deactivated from CVS?\n        \xe2\x80\xa2   How many CVS applications were managed by each TASM and TA?\n        \xe2\x80\xa2   How many contractors had multiple active CACs?\n        \xe2\x80\xa2   How many contractors have Government pay grades on their CACs?\n        \xe2\x80\xa2   How many CACs with Government pay grades were Geneva Conventions\n            CACs?\n\n\n\n4\n    We used ILP CAC termination data to determine whether revoked CACs were recovered.\n\n\n\n                                                   61\n\x0c     \xe2\x80\xa2   How many contractors have \xe2\x80\x9c.mil\xe2\x80\x9d e-mail addresses and three digital certificates\n         on their CACs to facilitate identification, signing e-mail, and encrypting e-mail?\n     \xe2\x80\xa2   How many contractors with a \xe2\x80\x9c.mil\xe2\x80\x9d e-mail address and three digital certificates\n         on their CACs were identified as contractors in their e-mail addresses, in\n         accordance with DoD Instruction 8500.2, \xe2\x80\x9cInformation Assurance (IA)\n         Implementation,\xe2\x80\x9d February 6, 2003?\n     \xe2\x80\xa2   How many contractor CACs were revoked because they were lost?\n     \xe2\x80\xa2   How many contractors issued CACs at the KBR Deployment Processing Center\n         were planning to work in Southwest Asia?\n     \xe2\x80\xa2   How many revoked contractor CACs, issued at the KBR Deployment Processing\n         Center, were recovered?\n     \xe2\x80\xa2   For what length of time were CACs issued at the KBR Deployment Processing\n         Center valid?\n\nThe computer-processed data were sufficiently reliable, based on tests performed, given\nour use of the data previously described. However, we did identify several errors in the\ncomputer-processed data, none of which significantly impacted our audit results. To\nfurther minimize the impact of errors in the data, we obtained additional written and\ntestimonial evidence during our site visits to support our audit results. The detailed\ndiscussion of errors in the computer-processed data sets will be provided on request.\n\nUse of Technical Assistance\nThe contractor CAC life cycle occurred worldwide across 1,397 CVS sites and 1,474\nRAPIDS sites.5 Due to the scope of this process, we decided to use statistical sampling\nfor the audit. The first step for statistical sampling was to develop subpopulations for the\ndata sets corresponding to the contractor CAC life cycle. These subpopulations were\ndeveloped by identifying the CVS and RAPIDS locations with the highest levels of\nactivity (i.e., CVS applications managed, reverifications conducted, and CACs issued) for\nthe Services and agencies. Based on the four locations with the most activity for each\nService and agency, we determined geographic clusters with 129 CVS and 89 RAPIDS\nsites which comprised our subpopulations. These subpopulations included Army, Navy,\nAir Force, Marine Corps, and Defense Agency CVS and RAPIDS sites. The number of\nrecords in each subpopulation was as follows:\n\n    \xe2\x80\xa2    39,532 CVS applications,\n    \xe2\x80\xa2    32,098 CVS reverifications,\n    \xe2\x80\xa2    97,117 issued CACs, and\n    \xe2\x80\xa2    28,205 revoked CACs.\n\nThe Office of Inspector General Quantitative Methods Directorate developed the\nstatistical samples of (1) CVS applications, (2) CVS reverifications, (3) CACs issued, and\n(4) CACs revoked for each audit subpopulation. They used stratified sample design to\n\n\n5\nThe number of CVS and RAPIDS sites includes deployable sites and was based on data obtained in\nAugust 2007.\n\n\n                                                 62\n\x0censure that each of the Services and agencies in our subpopulations were appropriately\nrepresented in the samples. The Quantitative Methods Directorate used SAS (Statistical\nAnalysis System) to select appropriate random samples from each stratum. In addition,\nthey performed calculations to make statistically defensible estimates for the\nsubpopulations based on the audited sample results and assisted in interpreting and using\nthe estimates correctly. See Appendix B for detailed information about the work\nperformed by the Quantitative Methods Directorate.\n\nIn addition, the Office of Inspector General Personnel Security Office provided JPAS\nresults for each statistically selected issued CAC record. Specifically, Security officials\nqueried JPAS for each individual in the sample by their Social Security number. This\ninformation was extracted during November 2007.\n\nPrior and Related Coverage\nThis audit is the first in a series on the contractor CAC. The second in the series focuses\non the contractor CAC in Southwest Asia. The third in the series focuses on the\ncontractor CAC in the Republic of Korea. Subsequent CAC audits may be planned for\nother overseas locations.\n\nDuring the last 5 years, the Government Accountability Office, the Department of\nDefense Inspector General, the Naval Audit Service, and the Air Force Audit Agency\nhave issued seven reports discussing CACs. Unrestricted Government Accountability\nOffice reports can be accessed over the Internet at http://www.gao.gov. Unrestricted\nDepartment of Defense Inspector General reports can be accessed at\nhttp://www.dodig.mil/audit/reports. Unrestricted Naval Audit Service reports are not\navailable over the Internet. Unrestricted Air Force Audit Agency reports can be accessed\nover the Internet at http://www.afaa.hq.af.mil/domainck/index.shtml.\n\nGovernment Accountability Office\nGovernment Accountability Office Report No. GAO-07-525T, \xe2\x80\x9cStabilizing and\nRebuilding Iraq: Conditions in Iraq Are Conducive to Fraud, Waste, and Abuse,\xe2\x80\x9d\nApril 23, 2007\n\nGovernment Accountability Office Report No. GAO-06-178, \xe2\x80\x9cAgencies Face Challenges\nin Implementing New Federal Employee Identification Standard,\xe2\x80\x9d February 2006\n\nDepartment of Defense Inspector General\nDepartment of Defense Inspector General Report No. D-2008-104, \xe2\x80\x9cDoD\nImplementation of Homeland Security Presidential Directive-12,\xe2\x80\x9d June 23, 2008\n\nNavy\nNaval Audit Service Report No. N2005-038, \xe2\x80\x9cCommon Access Card Implementation,\xe2\x80\x9d\nApril 8, 2005\n\n\n\n\n                                             63\n\x0cAir Force\nAir Force Audit Agency Report No. F2008-0005-FD2000, \xe2\x80\x9cControls Over Contractor\nIdentification,\xe2\x80\x9d April 2, 2008\n\nAir Force Audit Agency Report No. F2007-0018-FCR000, \xe2\x80\x9cCommon Access Card Use\nfor Physical Access, Headquarters Air Force Reserve Command, Robins Air Force Base,\nGA,\xe2\x80\x9d April 27, 2007\n\nAir Force Audit Agency Report No. F2007-0014-FCR000, \xe2\x80\x9cCommon Access Card Use\nfor Physical Access, 116th Air Control Wing, Robins Air Force Base, GA,\xe2\x80\x9d April 12,\n2007\n\n\n\n\n                                        64\n\x0cAppendix B. Estimates Based on Statistical\nSampling\nWe requested estimates from the Office of Inspector General\xe2\x80\x99s Quantitative Methods\nDirectorate to answer questions explained in Appendix A in the \xe2\x80\x9cUse of Computer-\nProcessed Data\xe2\x80\x9d section.1 In general, these estimates quantified the weaknesses present\nin each phase of the contractor CAC life cycle. The estimates are based on a 90-percent\nconfidence level. The 90-percent confidence level means there is a 10-percent risk that\nthe interval does not encompass the true subpopulation value.\n\nThe statistical estimates are in the table on the next page. The first row in the table shows\nthat between 76.17 percent and 89.68 percent of the 39,532 CVS applications did not\nhave enough evidence to link the applicant to a valid Government contract. The point\nestimate2 was 82.93 percent. The corresponding number of CVS applications with\ninsufficient evidence linking the applicant to a valid Government contract lies in a range\nfrom 30,113 to 35,451, with a point estimate of 32,782. The other seven estimates can be\ninterpreted the same way.\n\n\n\n\n1\n There were only seven sample questions in Appendix A. The eighth estimate was done to determine the\nnumber of revoked CACs for which recovery was undeterminable.\n2\n    The point estimate is a single numerical value halfway between the upper and lower bounds.\n\n\n                                                      65\n\x0c              Detailed Statistical Estimates of Weaknesses in Each Phase\n                          of the Contractor CAC Life Cycle\n    Answer to Question in          Lower         Point        Upper        Records in\n        Appendix A                 Bound       Estimate       Bound      Subpopulation\n                                 (Percent)     (Percent)     (Percent)\n\nCVS Applications: Applicants       30,113         32,782    35,451         39,532\nWhose Link to a Valid              (76.17)        (82.93)   (89.68)\nGovernment Contract Was\nUndeterminable\nCVS Applications: Applicants       33,332         35,383    37,434         39,532\nWhose CAC Issuance Length          (84.32)        (89.50)   (94.69)\nCannot Be Determined To Be\nAppropriate\nCVS Reverifications: Contractors   28,054         29,544    31,033         32,098\nWhose Continued Need to            (87.40)        (92.04)   (96.68)\nPossess a CAC Was\nUndeterminable\nRAPIDS CACs Issued:                20,918         28,606    36,293         97,117\nContractors Whose DEERS            (21.54)        (29.45)   (37.37)\nRecord Was Inconsistent With\nInformation in CVS or on\nDD Form 1172-2\nRAPIDS CACs Issued:                8,973          15,722    22,471         97,117\nContractors Who Were Issued a      (9.24)         (16.19)   (23.14)\nCAC Without an Approved CVS\nApplication or DD Form 1172-2\nRAPIDS CACs Issued:                32,090         39,320    46,550         97,117\nContractors Who Did Not Have a     (33.04)        (40.49)   (47.93)\nCompleted NACI\nRAPIDS CACs Revoked:                8,570         10,675    12,780         28,205\nContractors Whose Revoked          (30.38)        (37.85)   (45.31)\nCACs Were Not Recovered\nRAPIDS CACs Revoked:                3,751          5,615     7,480         28,205\nContractors For Whom Recovery      (13.30)        (19.91)   (26.52)\nof Revoked CAC Was\nUndeterminable\n\n\n\n\n                                             66\n\x0c Appendix C. Multiple Active CACs\n The table below shows which types of multiple active CACs were held by DoD and non-\n DoD contractors, based on the computer-processed data we obtained from DMDC.\n Generally, the meaning for each type of CAC is as follows:\n    \xe2\x80\xa2 Identification. This is a regular CAC for physical and, in some cases, logical\n        computer access.\n    \xe2\x80\xa2 Identification Privilege. This is an Identification CAC that may have privileges;\n        for example: commissary, morale and welfare, and recreation.\n    \xe2\x80\xa2 Accompanying Armed Forces. This is a Geneva Conventions CAC, as described\n        in finding C.\n    \xe2\x80\xa2 PIV. Personal Identity Verification CACs are CACs designed for compliance\n        with Homeland Security Presidential Directive-12.\n\n                           Contractors With Multiple Active CACs\n Type of                               Types of CACs                                        Number of     Total\nPersonnel                                                                                   Contractors\n\n  DoD          Identification and Accompanying Armed Forces                                       13\nContractor     Identification and Identification Privilege                                        26\n               Identification and PIV Identification                                              11\n               Identification and Two Identification Privilege                                     1\n               Identification Privilege and Accompanying Armed Forces                              6\n               Two Accompanying Armed Forces                                                      16\n               Two Identification                                                                567\n               Two Identification Privilege                                                       20      660\n   DoD         Identification Privilege and Accompanying Armed Forces                              5\nContractor/    PIV Identification Privilege, and Accompanying Armed Forces                         1\n non-DoD       Identification and Accompanying Armed Forces                                        3\n   Civil\n               Identification and Identification Privilege                                         5\n  Servant\n               Two Identification                                                                 43\n               Two Identification Privilege                                                        5       62\n   DoD         Identification and Accompanying Armed Forces                                        2\nContractor/    Identification and Identification Privilege                                         5\nOCONUS         Two Identification                                                                 13\n   Hire                                                                                                    20\n   DoD/        Identification and Identification Privilege                                         1\n non-DoD       Two Identification                                                                 28\nContractor     Two Identification Privilege                                                        1       30\n                                                                                         Total            772\n Note: Based on the DMDC data, the 772 contractors had a total of 1,545 CACs: 771contractors each had\n 2 CACs (771 x 2 = 1,542), and a contractor had 3 CACs, totaling 1,545 CACs (1,542 + 3).\n\n\n\n\n                                                  67\n\x0c68\n\x0c     Appendix D. Contract Clauses Governing\n     CAC Recovery\n     The table below explains the applicability, strengths, and weaknesses of the two standard\n     contract clauses governing the contractor CAC life cycle.\n\n              Standard Contract Clause Applicability, Strengths, and Weaknesses\n  Clause           Applicability            Strengths                  Weaknesses\nFederal       All DoD contracts; the          1. The clause requires the      1. \xe2\x80\x9cRoutine\xe2\x80\x9d is open to interpretation,\nAcquisition   Contracting Officer inserts     contractor to comply with       and Contracting Officers may not\nRegulation    after determining that a        agency personal identity        apply it consistently to contractors.\n52.204-9      contractor employee requires    verification procedures.        Also, subcontract administrators may\n              \xe2\x80\x9croutine\xe2\x80\x9d physical or logical                                   not apply it consistently to\n              access to DoD assets.                                           subcontracts.\n\n                                              2. The contracting company\n                                              is required to insert this\n                                              clause into all subcontracts\n                                              when its personnel require\n                                              physical or logical access.\n\nAir Force     All Air Force contracts;        1. This clause appears to be    1. The Air Force Federal Acquisition\nFederal       inserted after determination    required whenever CAC is        Regulation Supplement allows the\nAcquisition   that contractor personnel       issued to a contractor.         clause or one similar to it to be added\nRegulation    require physical and/or                                         to contracts. Therefore, consistency of\nSupplement    logical access to DoD assets.                                   the strengths and weaknesses in the\n5342.490-2                                                                    clause is unknown.\n                                              2. The clause specifies         2. The procedures are outdated and\n                                              procedures for the              should not include an option to fill out\n                                              contractor to request a         a DD Form 1172-2. Rather, the\n                                              CAC.                            procedures should require the\n                                                                              contractors to use CVS.\n                                              3. This clause addresses        3. Contractors have 7 days to return\n                                              CAC return when the             their CAC. It is not clear whether\n                                              contract ends or in certain     anyone in the Air Force is responsible\n                                              contingency situations.         for ensuring the CAC is recovered\n                                                                              when access is no longer required.\n\n                                              4. The clause instructs         4. The Air Force Federal Acquisition\n                                              contractors to properly         Regulation Supplement does not\n                                              display the CAC.                require contractors to include this\n                                                                              clause in subcontracts when\n                                                                              subcontractor personnel require\n                                                                              physical and/or logical access.\n                                              5. This clause allows the Air\n                                              Force to withhold final\n                                              contract payment for\n                                              violations of the clause.\n\n\n\n\n                                                      69\n\x0c70\n\x0cUnder Secretary of Defense for Acquisition, Technology,\nand Logistics Comments\n\n                                                            Final Report\n                                                             Reference\n\n\n\n\n                                                          Renumbered as\n                                                          Recommendation\n                                                          A.2.\n\n                                                          Renumbered as\n                    Click to add JPEG file                Recommendation\n                                                          A.5.\n\n\n\n                                                          Renumbered as\n                                                          Recommendation\n                                                          A.5.\n\n\n\n\n                                                          Renumbered as\n                                                          Recommendation\n                                                          A.4.\n\n\n\n\n                                   71\n\x0c                           Final Report\n                            Reference\n\n\n\n                         Renumbered as\n                         Recommendation\n                         A.3.c.\n\n\n\n\n                         Renumbered as\n                         Recommendation\n                         A.5.\n\n\n\n\nClick to add JPEG file\n\n\n\n\n               72\n\x0cUnder Secretary of Defense for Personnel and Readiness\nComments\n\n\n\n\n                   Click to add JPEG file\n\n\n\n\n                                  73\n\x0c                           Final Report\n                            Reference\n\n\n\n\n                         Renumbered as\n                         Recommendation\n                         A.3.\n\n\n\n\nClick to add JPEG file\n                         Revised\n\n\n\n\n                         Revised\n\n\n\n\n               74\n\x0c                           Final Report\n                            Reference\n\n\n\n\n                         Renumbered as\n                         Recommendation\n                         A.3.\n\n\n\n\nClick to add JPEG file\n\n\n\n\n                         Revised\n\n\n\n\n                         Revised\n\n\n\n\n               75\n\x0c                           Final Report\n                            Reference\n\n\n\n                         Renumbered as\n                         Recommendation\n                         A.3.e.(1)\n\n                         Renumbered as\n                         Recommendation\n                         A.3.c.\n\n\n\n\n                         Renumbered as\n                         Recommendation\nClick to add JPEG file   A.3.d.\n\n\n\n                         Renumbered as\n                         Recommendation\n                         A.3.e.(1)\n\n\n\n\n                         Renumbered as\n                         Recommendations\n                         A.3.e.(2)\n                         and A.3.e.(1)\n\n\n\n\n               76\n\x0c                           Final Report\n                            Reference\n\n\n\n                         Renumbered as\n                         Recommendation\n                         A.5.\n\n\n\n\n                         Renumbered as\n                         Recommendation\n                         A.4.\n\n\n                         Renumbered as\nClick to add JPEG file   Recommendation\n                         A.3.c.\n\n\n\n\n                         Renumbered as\n                         Recommendation\n                         A.5.\n\n                         Renumbered as\n                         Recommendation\n                         A.3.e.(1)\n\n\n\n\n                         Renumbered as\n                         Recommendation\n                         A.3.c.\n\n\n\n\n               77\n\x0c                           Final Report\n                            Reference\n\n\n                         Renumbered as\n                         Recommendation\n                         A.6.\n\n                         Renumbered as\n                         Recommendation\n                         A.5.B.(5)\n\n                         Renumbered as\n                         Recommendation\n                         A.6.\n\n                         Renumbered as\n                         Recommendation\n                         A.3.e.(1)\n\n\n\n\nClick to add JPEG file\n\n\n\n\n               78\n\x0c                           Final Report\n                            Reference\n\n\n\n\n                         Revised\n\n\n\n\nClick to add JPEG file\n\n\n\n\n               79\n\x0c                           Final Report\n                            Reference\n\n\n\n\n                         Revised\n\n\n\n\nClick to add JPEG file\n\n\n\n\n               80\n\x0cClick to add JPEG file\n\n\n\n\n               81\n\x0cClick to add JPEG file\n\n\n\n\n               82\n\x0c                           Final Report\n                            Reference\n\n\n\n\n                         Renumbered as\n                         Recommendation\n                         A.5.\n\n\n\n\n                         Renumbered as\n                         Recommendation\n                         A.3.e.(1)\n\n\n\n\nClick to add JPEG file\n\n\n\n\n               83\n\x0cUnder Secretary of Defense for Intelligence Comments\n\n\n\n\n                   Click to add JPEG file\n\n\n\n\n                                  84\n\x0c                           Final Report\n                            Reference\n\n\n\n\n                         Renumbered as\nClick to add JPEG file   Recommendation\n                         A.4.\n\n\n\n\n               85\n\x0c                           Final Report\n                            Reference\n\n\n\n                         Renumbered as\n                         Recommendation\n                         A.5.\n\n\n\n\n                         Renumbered as\n                         Recommendation\n                         A.4.\n\n\n                         Renumbered as\n                         Recommendation\n                         A.3.c.\nClick to add JPEG file\n\n\n                         Renumbered as\n                         Recommendation\n                         A.5.a.\n\n\n\n\n                         Renumbered as\n                         Recommendation\n                         A.5.b.\n\n\n\n\n               86\n\x0c                           Final Report\n                            Reference\n\n\n\n\nClick to add JPEG file\n\n\n\n\n                         Renumbered as\n                         Recommendation\n                         A.5.\n\n\n\n\n               87\n\x0cAssistant Secretary of Defense (Networks and Information\nIntegration)/DoD Chief Information Officer Comments\n\n\n\n\n                   Click to add JPEG file\n\n\n\n\n                                  88\n\x0cClick to add JPEG file\n\n\n\n\n               89\n\x0cU.S. Army Materiel Command Comments\n\n\n\n\n                 Click to add JPEG file\n\n\n\n\n                                90\n\x0cDeputy Under Secretary of the Army for Business\nTransformation Comments\n\n                                                    Final Report\n                                                     Reference\n\n\n\n\n                                                  Revised\n\n\n\n\n                   Click to add JPEG file\n\n\n\n\n                                                  Pages 29-30\n\n\n\n\n                                  91\n\x0c                           Final Report\n                            Reference\n\n\n\n\n                         Page 32\n\n\n\n\n                         Page 33\n\n\n\n\nClick to add JPEG file\n\n\n\n\n               92\n\x0cU.S. Army Human Resources Command Comments\n\n\n                                               Final Report\n                                                Reference\n\n\n\n\n                                             Renumbered as\n                                             Recommendation\n                                             B.4.\n\n\n                Click to add JPEG file\n\n\n\n\n                               93\n\x0cTeam Members\nThe Department of Defense Office of the Deputy Inspector General for Auditing, Joint\nand Overseas Operations prepared this report. Personnel of the Department of Defense\nOffice of Inspector General who contributed to the report are listed below.\n\nPaul J. Granetto\nDonald A. Bloomer\nCarol N. Gorman\nMelinda M. Oleksa\nDewayne J. McOsker, Jr.\nMichael D. Durda\nHanh T. Nguyen\nThomas T. Nguyen\nDavid M. Staley\nAnthony M. Torres\nChristopher S. Groubert\nDharam Jain\nKandasamy Selvavel\nGregory Collins\nAllison E. Tarmann\n\x0c\x0c"